Am Freitag, dem 11.03.2022 um 09:17 +0000 schrieb Thomas Hoffmann (Speed4Trade GmbH): > The configuration which works for me is: > > <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImpl > ementation" > > maxThreads="150" minSpareThreads="25" > > URIEncoding="UTF-8" useBodyEncodingForURI="false" > > enableLookups="false" disableUploadTimeout="true" > > acceptCount="100" scheme="https" secure="true" > > SSLEnabled="true"> > > <SSLHostConfig ciphers="ECDHE-ECDSA-AES128-GCM- > SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM- > SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20- > POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE- > RSA-AES256-GCM-SHA384" > > disab > leSessionTickets="true" > > honor > CipherOrder="false" > > proto > cols="+TLSv1.2,+TLSv1.3">
I am using: protocol="org.apache.coyote.http11.Http11Nio2Protocol" and in combination with the native APR in place it does the correct thing, using OpenSSL - and the error shows that this is in place. The list of protocols can be either of those - see the https://tomcat.apache.org/tomcat-9.0-doc/config/http.html ciphers docs: The ciphers to enable using the OpenSSL syntax. (See the OpenSSL documentation for the list of ciphers supported and the syntax). Alternatively, a comma separated list of ciphers using the standard OpenSSL cipher names or the standard JSSE cipher names may be used. Your example does not have any TLS 1.3 cipher listet - so you just get the 3 defaults (which I want / need to change) - and as seen in the code it won't work anyway, because it does not call: SSL_CTX_set_ciphersuites() to set the 1.3 suites. kind regards Torsten --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
