> > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using > > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle > > TLSv1.3 works, but I want to specify the allowed cipher suites as well. > > > > The relevant parts of server.xml are: > > <Listener className="org.apache.catalina.core.AprLifecycleListener" > > SSLEngine="on" /> > > ... > > <Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol" > > maxThreads="150" SSLEnabled="true" > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/> > > <SSLHostConfig protocols="TLSv1.3"> > > <Certificate > > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-base-8080/conf/keystore-pkcs12.jks" > > certificateKeystorePassword="mypassword" > > certificateKeystoreAlias="myalias" /> > > </SSLHostConfig> > > </Connector> > > > > This configuration works! When I connect to the server, Firefox says > > under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, > > 128bit key, TLS 1.3). > > > > But when I try to specify the cipher suites like: <SSLHostConfig > > protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256"> > > You have to use OpenSSL cipher names in this case. Like this... > > ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE- > RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- > SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128- > SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA- > AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM- > SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
This cipher suite works fine for TLSv1.2. However, I only want to use TLSv1.3 with its cipher suites. I installed openssl 1.1.1c and if I type "openssl ciphers -s -tls1_3" openSSL will return TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 in exactly this spelling, with underscores, not with hyphens as in the other cipher suites. I tried it with hyphens in Tomcat - but it does not work either. Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)? Kind regards, Jessica
smime.p7s
Description: S/MIME cryptographic signature