Do I need to file a separate feature request for Tomcat itself? The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952) ________________________________ От: Усманов Азат Анварович <usma...@ieml.ru> Отправлено: 20 сентября 2018 г. 12:05:07 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
I did file a feature -enhancement in bugzilla https://bz.apache.org/bugzilla/show_bug.cgi?id=62748 ________________________________ От: Christopher Schultz <ch...@christopherschultz.net> Отправлено: 19 сентября 2018 г. 23:31:28 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Усманов, On 9/19/18 05:56, Усманов Азат Анварович wrote: > Hi Christopher! I did remove supportedProtocols attribute entirely > (SSL Labs server test confirms it ). You mean that SSL Labs then tells you that other protocols are available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is available, so testing with e.g. Chrome shouldn't be necessary. > <Connector allowTrace="false" server=" " port="8443" > maxPostSize="10485760 " maxHttpHeaderSize="1048576" > protocol="org.apache.coyote.http11.Http11AprProtocol" > connectionTimeout="20000" redirectPort="8443" > SSLHonorCipherOrder="true" > SSLCertificateFile="/home/idis/STAR_ieml_ru.crt" > SSLCertificateKeyFile="/home/idis/server.key" > SSLCertificateChainFile="/home/idis/authorities.crt" > > maxThreads="350" minSpareThreads="25" SSLEnabled="true" > enableLookups="false" disableUploadTimeout="true" acceptCount="100" > scheme="https" secure="true" compression="force" > SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE - -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, > ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256 - -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256, > > ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/> > > I did put > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH A256 > as tls 1.3 ciphers for tls 1.3 , so my guess is that more work > is required for tls.1.3 to work in my case Yes, you will definitely have to mention the TLSv1.3 ciphers in order to allow a TLSv1.3 handshake to succeed. But yes, it does indeed look like Tomcat requires some work. Can you please file an enhancement request in Bugzilla? Thanks, - -chris > ________________________________ От: Christopher Schultz > <ch...@christopherschultz.net> Отправлено: 18 сентября 2018 г. > 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for > tomcat 7 with APR/tomcat-native > > Усманов, > > On 9/18/18 6:43 AM, Усманов Азат Анварович wrote: >> I have a java7 web application that runs on tomcat 7.0.70 I'm >> using Apr/tomcat-native w OpenSSL for TLS connections >> .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest >> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have >> upgraded to it successfully. My question is if and when >> tomcat 7 will be upgraded to support TLS1.3 through w >> APR/tomcat-native/OpenSSL? do such plans even exist? > > Try not specifying any "supported protocol" (e.g. allow all > protocol flavors), and OpenSSL should allow TLSv1.3 to be > negotiated. > >> I'm guessing it will not happen at least untill both Chrome and >> firefox release their browser updates for RFC8446 support >> (which are both scheduled for Mid october Crome 70 and firefox >> 63) but would like to know more about it > > I for one would like to see TLSv1.3 supported as quickly as > possible. > > The OpenSSL project states that 1.1.1 is a drop-in API- and > ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should > "just work" under certain conditions. > > Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) > by default which might make things tricky when trying to accept > "all protocols" as described above. > > Please let me know if you have any success with an out-of-the-box > Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in > Tomcat that might *prevent* TLSv1.3 from being available. > > -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8 pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/Z/jveeRY3Yz2Zj GGe+E7H7tIOywLXC9tAYXmj4CqFab9s5jTpEgD1IiphhA118WLAd97AAo5o/0t3R RcGrxMbYo3vpRYhhIAxNOnVvbfu+pxCGIc6BdeWhyzVvjutMetUyAQBujc97Em0X QpXG+V/7D55iJIFE7rhV6hpg5+/TC43oCLPn6KVQyoamLUET7rNRVzueMKPvNXow tONSSGHUOAv7hRhdvplp5aW4h3L0BgDjTdIjcPwr/YcprU/9SC2gRs+iLX5nwMwS +ZOSKufTBBqOVRLJNA3NVjfbozLZCzk3unTYrX0am2Fw3HRXnU3d4LogsDVdXUS5 xxj9+XBjcr2/wtUcufS3beuYPUQq6LR5ZNqG/XsPl3xMtg0skV2+JqQEVIEqcbnW Up/egu3bHKc/oQBsqtKNviH2gPdxw6eUTJnjtlW5d1myE8quMIU= =OwrK -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
