tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Усманов Азат Анварович <usma...@ieml.ru>
Subject Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Date Thu, 20 Sep 2018 09:05:07 GMT
I did file  a feature -enhancement  in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748

________________________________
От: Christopher Schultz <chris@christopherschultz.net>
Отправлено: 19 сентября 2018 г. 23:31:28
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

On 9/19/18 05:56, Усманов Азат Анварович wrote:
> Hi Christopher! I did remove supportedProtocols attribute entirely
> (SSL Labs server test confirms it ).
You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

> <Connector allowTrace="false" server=" " port="8443"
> maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> connectionTimeout="20000" redirectPort="8443"
> SSLHonorCipherOrder="true"
> SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
> SSLCertificateKeyFile="/home/idis/server.key"
> SSLCertificateChainFile="/home/idis/authorities.crt"
>
> maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
> enableLookups="false" disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" compression="force"
> SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
> ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
>
>
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>
>
> I did put
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH
A256
> as tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work
> is required for tls.1.3  to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

> ________________________________ От: Christopher Schultz
> <chris@christopherschultz.net> Отправлено: 18 сентября 2018 г.
> 23:27 Кому: users@tomcat.apache.org Тема: Re: TLS1.3 support for
> tomcat 7 with APR/tomcat-native
>
> Усманов,
>
> On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
>> I have a java7 web application that runs on tomcat 7.0.70 I'm
>> using Apr/tomcat-native w OpenSSL for TLS connections
>> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
>> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
>> upgraded to it  successfully. My question is  if and when
>> tomcat 7 will be upgraded to support TLS1.3  through w
>> APR/tomcat-native/OpenSSL? do such plans even exist?
>
> Try not specifying any "supported protocol" (e.g. allow all
> protocol flavors), and OpenSSL should allow TLSv1.3 to be
> negotiated.
>
>> I'm guessing it will not happen at least untill both Chrome and
>> firefox release their    browser updates for RFC8446 support
>> (which are  both scheduled for Mid october Crome 70 and firefox
>> 63) but would like to know more about it
>
> I for one would like to see TLSv1.3 supported as quickly as
> possible.
>
> The OpenSSL project states that 1.1.1 is a drop-in API- and
> ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
> "just work" under certain conditions.
>
> Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3)
> by default which might make things tricky when trying to accept
> "all protocols" as described above.
>
> Please let me know if you have any success with an out-of-the-box
> Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in
> Tomcat that might *prevent* TLSv1.3 from being available.
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8
pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ
BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P
z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v
dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/Z/jveeRY3Yz2Zj
GGe+E7H7tIOywLXC9tAYXmj4CqFab9s5jTpEgD1IiphhA118WLAd97AAo5o/0t3R
RcGrxMbYo3vpRYhhIAxNOnVvbfu+pxCGIc6BdeWhyzVvjutMetUyAQBujc97Em0X
QpXG+V/7D55iJIFE7rhV6hpg5+/TC43oCLPn6KVQyoamLUET7rNRVzueMKPvNXow
tONSSGHUOAv7hRhdvplp5aW4h3L0BgDjTdIjcPwr/YcprU/9SC2gRs+iLX5nwMwS
+ZOSKufTBBqOVRLJNA3NVjfbozLZCzk3unTYrX0am2Fw3HRXnU3d4LogsDVdXUS5
xxj9+XBjcr2/wtUcufS3beuYPUQq6LR5ZNqG/XsPl3xMtg0skV2+JqQEVIEqcbnW
Up/egu3bHKc/oQBsqtKNviH2gPdxw6eUTJnjtlW5d1myE8quMIU=
=OwrK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message