https://bz.apache.org/bugzilla/show_bug.cgi?id=67938
--- Comment #4 from Stephen Higgs <shi...@redhat.com> --- Reproducer Steps ================ This reproducer creates an artificially large ClientHello that causes Tomcat to respond with an SSL alert on TLS 1.3 session resumption. In this test case, a certificate extension with a very long string value is added to the server's certificate. Wireshark analysis shows the ClientHello preshared key identity can become very large with a large certificate. Mutual authentication also increases the size of the identity. In the following test, the first openssl call will succeed while the second one will fail. STEP 1 - generate a large certificate ------------------------------------- $ cat openssl.cnf [req] distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] C = NA ST = NA L = NA O = NA OU = NA CN = localhost [req_ext] subjectAltName = @alternate_names [alternate_names] DNS.1 = localhost DNS.2 = *.localhost [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true subjectAltName = @alternate_names keyUsage = digitalSignature, keyEncipherment 2.999 = ASN1:UTF8String:LONGSTRING $ sed "s/LONGSTRING/$(printf '%.0sx' {0..16000})/g" ./openssl.cnf > openssl-long.cnf $ cat create-cert.sh #!/bin/bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 7 -nodes -config ./openssl-long.cnf -extensions v3_ca openssl pkcs12 -inkey key.pem -in cert.pem -export -out keystore.p12 -password pass:changeit -name my keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -srcstoretype PKCS12 -deststoretype jks -deststorepass changeit -srcstorepass changeit $ ./create-cert.sh Step 2 - install cert and start Tomcat -------------------------------------- $ grep --after-context 8 "<Connector.*8443" conf/server.xml <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig protocols="all" > <Certificate certificateKeystoreFile="conf/keystore.jks" type="RSA" /> </SSLHostConfig> </Connector> $ cp $CERT_DIR/keystore.jks conf/keystore.jks $ bin/catalina.sh run Step 3 - test ------------- $ cat test.sh #!/bin/bash echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" | openssl s_client -connect localhost:8443 -sess_out session -tls1_3 -quiet -CAfile=cert.pem echo -en "GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" | openssl s_client -connect localhost:8443 -sess_in session -tls1_3 -quiet -CAfile=cert.pem $ ./test.sh ... 003E54FCFD7E0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1586:SSL alert number 80 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org