Jessica,
Peter Kreuser > Am 07.08.2019 um 14:33 schrieb Alten, Jessica-Aileen > <jessica-aileen.al...@leibniz-liag.de>: > > Dear all, > > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3 > works, but I want to specify the allowed cipher suites as well. > > The relevant parts of server.xml are: > <Listener className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> > ... > <Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol" > maxThreads="150" SSLEnabled="true" > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat > ion"> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> > <SSLHostConfig protocols="TLSv1.3"> > <Certificate > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas > e-8080/conf/keystore-pkcs12.jks" > certificateKeystorePassword="mypassword" > certificateKeystoreAlias="myalias" /> > </SSLHostConfig> > </Connector> > > This configuration works! When I connect to the server, Firefox says under > technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key, > TLS 1.3). > > But when I try to specify the cipher suites like: <SSLHostConfig > protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256"> You have to use OpenSSL cipher names in this case. Like this... ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > Tomcat throws an exception and TLS does not work! Errror code in the browser > is: SSL_ERROR_RX_RECORD_TOO_LONG The error in the logs below shows the initialization error in the ciphers attribute and thus no ciphers are available... Peter > > That is the most simplified version, first I tried these three: > ciphers=""TLS_AES_128_GCM_SHA256, > TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result. > > I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat > works with openSSL and TLSv1.3 as shown above. > > The relevant part of the catalina log is: > > 07-Aug-2019 13:41:38.183 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR > based Apache Tomcat Native library [1.2.23] using APR version [1.7.0]. > 07-Aug-2019 13:41:38.183 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR > capabilities: IPv6 [true], sendfile [true], accept filters [false], random > [true]. > 07-Aug-2019 13:41:38.183 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL > configuration: useAprConnector [false], useOpenSSL [true] > 07-Aug-2019 13:41:38.198 INFORMATION [main] > org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL > successfully initialized [OpenSSL 1.1.1c 28 May 2019] > 07-Aug-2019 13:41:38.370 INFORMATION [main] > org.apache.coyote.AbstractProtocol.init Initialisiere > ProtocolHandler["http-nio-8080"] > 07-Aug-2019 13:41:38.417 INFORMATION [main] > org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The > ["https-openssl-apr-8181"] connector has been configured to support > negotiation to h2] via ALPN > 07-Aug-2019 13:41:38.417 INFORMATION [main] > org.apache.coyote.AbstractProtocol.init Initialisiere > ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG > [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim > initialisieren des SSL Contexts java.lang.Exception: Unable to configure > permitted SSL ciphers (error:1410D0B9:SSL > routines:SSL_CTX_set_cipher_list:no cipher match) > at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method) > at > org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2 > 43) > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247 > ) > at > org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403 > ) > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint > .java:1124) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol. > java:74) > at org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:5 > 33) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105 > 9) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at org.apache.catalina.startup.Catalina.load(Catalina.java:584) > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62 > ) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl > .java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) > > > Can anybody help? > > Kind regards, > Jessica >