Re: TLSv1.3 Support in Tomcat

[Christopher Schultz]

Daniel,

On 6/29/21 02:03, Daniel Savard wrote:
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
TLSv1.3 supports 5 cipher suites and none is in your list.

+1

Abirami,

Also, you aren't providing any <SSLHostConfig> or other elements, so we 
can't tell what type of ey/cert you are using: RSA or EC?

Try adding:
  TLS_AES_128_GCM_SHA256
  TLS_AES_256_GCM_SHA384
  TLS_CHACHA20_POLY1305_SHA256

... to your list.

Note that you have both RSA and EC-based cipher suites in your cipher 
suites string, and with only a single certificate, you cannot possibly 
actually support both.

-chris

Le mar. 29 juin 2021 à 01:44, S Abirami <s.abir...@ericsson.com.invalid> a
écrit :

Hi Christopher,

Below is my Connector element, sslEnabledProtocols =TLSv1.2 ,TLS 1.3 it is
working fine with TLSv1.2.  When sslEnabledProtocols=TLSv1.3, Tomcat is
started but, the browser unable to perform handshake with webapp.

Is there any dependency with Cipher suites?

<Connector
protocol="com.ericsson.http.protocol.Http11Nio2ProtocolDecryptProp"
port="<fourdigit number>" maxThreads="200" scheme="https" secure="true"
SSLEnabled="true" keystoreFile="/opt/cert/keystore"
keystorePass="<Keystore_Password>" clientAuth="false"
maxHttpHeaderSize="8192" server="<SERVER>" xpoweredBy="false"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
sslEnabledProtocols=" TLSv1.3"/>



Regards,
Abirami.S

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Monday, June 28, 2021 7:27 PM
To: users@tomcat.apache.org
Subject: Re: TLSv1.3 Support in Tomcat

Abirami,

On 6/28/21 07:16, S Abirami wrote:
TLSv1.3 support is available in Tomcat.

I tried just updating server.xml[sslEnabledProtocols=TLSv1.3] and
restarted tomcat. It doesn't work.

[We are using Tomcat 9.0.46 and JDK 8u291]

Please let me know any other configuration also needs to be changed.

Can you please post your <Connector> configuration (minus any secrets)?

When you say "it doesn't work", what exactly do you mean?

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org