tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Усманов Азат Анварович <usma...@ieml.ru>
Subject Re: TLS1.3 support for tomcat 7 with APR/tomcat-native
Date Wed, 19 Sep 2018 09:56:46 GMT
Hi Christopher! I did remove supportedProtocols attribute entirely (SSL Labs server test confirms
it ).I also did install chrome 70 beta and did enable TLS 1.3 final version in it ,but the
security tab in chrome still shows tls 1.2 as my protocol and no tls 1.3. Here is my connectorf
form the server.xml

<Connector allowTrace="false" server=" " port="8443" maxPostSize="10485760 "  maxHttpHeaderSize="1048576"
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           connectionTimeout="20000"
           redirectPort="8443"
           SSLHonorCipherOrder="true"
           SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
           SSLCertificateKeyFile="/home/idis/server.key"
           SSLCertificateChainFile="/home/idis/authorities.crt"

           maxThreads="350"  minSpareThreads="25" SSLEnabled="true"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
   compression="force"
SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,
 ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

  I did put TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256 as
tls 1.3 ciphers for tls 1.3 ,  so my guess is that  more work   is required for tls.1.3  to
work in my case

________________________________
От: Christopher Schultz <chris@christopherschultz.net>
Отправлено: 18 сентября 2018 г. 23:27
Кому: users@tomcat.apache.org
Тема: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

On 9/18/18 6:43 AM, Усманов Азат Анварович wrote:
> I have a java7 web application that runs on tomcat 7.0.70 I'm
> using Apr/tomcat-native w OpenSSL for TLS connections
> .(Tomcat-native 1.2.17  APR 1.6,OpenSSL 1.1.1 RHEL 6  ) Latest
> stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded
> to it  successfully. My question is  if and when    tomcat 7 will
> be upgraded to support TLS1.3  through w APR/tomcat-native/OpenSSL?
> do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all protocol
flavors), and OpenSSL should allow TLSv1.3 to be negotiated.

> I'm guessing it will not happen at least untill both Chrome and
> firefox release their    browser updates for RFC8446 support
> (which are  both scheduled for Mid october Crome 70 and firefox 63)
> but would like to know more about it

I for one would like to see TLSv1.3 supported as quickly as possible.

The OpenSSL project states that 1.1.1 is a drop-in API- and
ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
"just work" under certain conditions.

Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by
default which might make things tricky when trying to accept "all
protocols" as described above.

Please let me know if you have any success with an out-of-the-box
Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat
that might *prevent* TLSv1.3 from being available.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
GPG Suite<http://gpgtools.org/>
gpgtools.org
Everything you need to get started with secure communication and encrypting files in one simple
package leveraging the power of OpenPGP/GPG



Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8
pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv
64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG
Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC
AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq
QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z
YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq
vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl
5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD
Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3
Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU
+2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo=
=uNao
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message