TLS1.3 support for tomcat 7 with APR/tomcat-native

Discussion:

Усманов Азат Анварович

2018-09-18 10:43:41 UTC

Hi everyone!

I have a java7 web application that runs on tomcat 7.0.70 I'm using Apr/tomcat-native w OpenSSL for TLS connections .(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded to it successfully. My question is if and when tomcat 7 will be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL? do such plans even exist?

I'm guessing it will not happen at least untill both Chrome and firefox release their browser updates for RFC8446 support (which are both scheduled for Mid october Crome 70 and firefox 63) but would like to know more about it

Christopher Schultz

2018-09-18 20:27:26 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have upgraded
to it successfully. My question is if and when tomcat 7 will
be upgraded to support TLS1.3 through w APR/tomcat-native/OpenSSL?
do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all protocol
flavors), and OpenSSL should allow TLSv1.3 to be negotiated.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I'm guessing it will not happen at least untill both Chrome and
firefox release their browser updates for RFC8446 support
(which are both scheduled for Mid october Crome 70 and firefox 63)
but would like to know more about it

I for one would like to see TLSv1.3 supported as quickly as possible.

The OpenSSL project states that 1.1.1 is a drop-in API- and
ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
"just work" under certain conditions.

Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by
default which might make things tricky when trying to accept "all
protocols" as described above.

Please let me know if you have any success with an out-of-the-box
Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat
that might *prevent* TLSv1.3 from being available.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8
pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv
64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG
Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC
AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq
QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z
YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq
vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl
5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD
Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3
Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU
+2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo=
=uNao
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Усманов Азат Анварович

2018-09-19 09:56:46 UTC

Permalink

Hi Christopher! I did remove supportedProtocols attribute entirely (SSL Labs server test confirms it ).I also did install chrome 70 beta and did enable TLS 1.3 final version in it ,but the security tab in chrome still shows tls 1.2 as my protocol and no tls 1.3. Here is my connectorf form the server.xml

<Connector allowTrace="false" server=" " port="8443" maxPostSize="10485760 " maxHttpHeaderSize="1048576"
protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000"
redirectPort="8443"
SSLHonorCipherOrder="true"
SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
SSLCertificateKeyFile="/home/idis/server.key"
SSLCertificateChainFile="/home/idis/authorities.crt"

maxThreads="350" minSpareThreads="25" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
compression="force"
SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

I did put TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SHA256 as tls 1.3 ciphers for tls 1.3 , so my guess is that more work is required for tls.1.3 to work in my case

________________________________
ïÔ: Christopher Schultz <***@christopherschultz.net>
ïÔÐÒÁ×ÌÅÎÏ: 18 ÓÅÎÔÑÂÒÑ 2018 Ç. 23:27
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

õÓÍÁÎÏ×,

Try not specifying any "supported protocol" (e.g. allow all protocol
flavors), and OpenSSL should allow TLSv1.3 to be negotiated.

I for one would like to see TLSv1.3 supported as quickly as possible.

The OpenSSL project states that 1.1.1 is a drop-in API- and
ABI-compatible replacement for 1.1.0 and therefore TLSv1.3 should
"just work" under certain conditions.

Tomcat attempts to disable certain protocols (e.g. SSLv2, SSLv3) by
default which might make things tricky when trying to accept "all
protocols" as described above.

Please let me know if you have any success with an out-of-the-box
Tomcat 7.0.70 and APR/tcnative. I'll see what if anything is in Tomcat
that might *prevent* TLSv1.3 from being available.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
GPG Suite<http://gpgtools.org/>
gpgtools.org
Everything you need to get started with secure communication and encrypting files in one simple package leveraging the power of OpenPGP/GPG

Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluhX64ACgkQHPApP6U8
pFigRA//Un2OHvcVetuFicBs2Hncv7L7SkQyyldKUEZ1OK5l0GkNGxnZpWGrzSKv
64szQ8xjz1C1rgDSxsJF2VtELu9ZQ3zrLQ2kjBhfUG3sfRQ/Y7/dnFv3ia95XgUG
Pc1/G0Pb86FoKPJbB5TbsmZ0U/ABZ1nlsMOHJZJ9No+Si/UiNDeBsxObQr9z2PvC
AyYMq2Pavyl6FYr9pTSBaGlPyoL9pbr5tc5JiGOos7LG23mgnYYlXZqklsMsZ1gq
QG7h0Y7Z8CNybCq8EzWBz/WqIpUPdGZnvJpl0Q7K3Um8BYB05Ce78kXoYi5WYd1z
YruvC7DSMUzzI+uvj3fEQF/RLe5iUgxfBCys1XCrZ0EWj5JpQO7UySqera4mnFUq
vTz1H3UNkAnneVeOnZ+zpSbDx1sB24gI8fTbuHxg0760zH4dABGcxas+xhs7MpHl
5k5jrxkTsKuiypYPOg4cUXkERUh8FkVp+/MtsIWCnk+1UGo1dxbGeRejwL6ba8pD
Jbfoib7e3CcA2lAWDr3tx7TM8usWtx+IKByMHbdktX6Z++9pbSyVKY54I2dki6i3
Dc69nGGBbWWTQILKijxaZlru/wnN0nnIJQB5PmjxqMm6AkEHL8qlEGflnIA+xGNU
+2NX3i9oFNCk3ifGhgqWUIb8/a62y8xB1UGaMPkbj51YpijEIuo=
=uNao
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Christopher Schultz

2018-09-19 20:31:28 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute entirely
(SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
<Connector allowTrace="false" server=" " port="8443"
maxPostSize="10485760 " maxHttpHeaderSize="1048576"
protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000" redirectPort="8443"
SSLHonorCipherOrder="true"
SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
SSLCertificateKeyFile="/home/idis/server.key"
SSLCertificateChainFile="/home/idis/authorities.crt"
maxThreads="350" minSpareThreads="25" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true" acceptCount="100"
scheme="https" secure="true" compression="force"
SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TL

S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECDHE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256

- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH

A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in order
to allow a TLSv1.3 handshake to succeed.

But yes, it does indeed look like Tomcat requires some work.

Can you please file an enhancement request in Bugzilla?

Thanks,
- -chris

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ От: Christopher Schultz
tomcat 7 with APR/tomcat-native
Усманов,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluisiAACgkQHPApP6U8
pFiH3Q/+KWvdZpWPpR9SkJp9NCQFQHhxJjrgW++fXrdKb0ySj5eV8NvmSjb253GZ
BHwSlzLlG0QDAxHuL7Xux6EuO/W3OzibhS0V6touLZ0bSmO1uJ/cP/VIVDZTXw6P
z7Vs/hDYIlucCHf1ZJnYMPfSuk+t8YGToK8qYwFXnrZyHfDx4Wq+wqHLMltu+n/v
dX12V2OCw7XWrKeYjHvRxCffwoNkqkrJrUxekpEeTd39s5Vj6/Z/jveeRY3Yz2Zj
GGe+E7H7tIOywLXC9tAYXmj4CqFab9s5jTpEgD1IiphhA118WLAd97AAo5o/0t3R
RcGrxMbYo3vpRYhhIAxNOnVvbfu+pxCGIc6BdeWhyzVvjutMetUyAQBujc97Em0X
QpXG+V/7D55iJIFE7rhV6hpg5+/TC43oCLPn6KVQyoamLUET7rNRVzueMKPvNXow
tONSSGHUOAv7hRhdvplp5aW4h3L0BgDjTdIjcPwr/YcprU/9SC2gRs+iLX5nwMwS
+ZOSKufTBBqOVRLJNA3NVjfbozLZCzk3unTYrX0am2Fw3HRXnU3d4LogsDVdXUS5
xxj9+XBjcr2/wtUcufS3beuYPUQq6LR5ZNqG/XsPl3xMtg0skV2+JqQEVIEqcbnW
Up/egu3bHKc/oQBsqtKNviH2gPdxw6eUTJnjtlW5d1myE8quMIU=
=OwrK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Усманов Азат Анварович

2018-09-19 21:37:07 UTC

Permalink

Hi Chris!Yes,ssllabs test does show TLS 1.0,and TLS 1.1 enabled when I ommit supported protocols attribute.Current version of ssllabs server test uses draft 28 version for TLS 1.3 testing, that is why I used the Chrome beta test. What steps do I need to take to file a enhancement request in Bugzilla? I'm a newbie to the tomcat users list
________________________________
ïÔ: Christopher Schultz <***@christopherschultz.net>
ïÔÐÒÁ×ÌÅÎÏ: 19 ÓÅÎÔÑÂÒÑ 2018 Ç. 23:31:28
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute entirely
(SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256

- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH

A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ ïÔ: Christopher Schultz
tomcat 7 with APR/tomcat-native
õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

Усманов Азат Анварович

2018-09-20 09:05:07 UTC

Permalink

I did file a feature -enhancement in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748

________________________________
ïÔ: Christopher Schultz <***@christopherschultz.net>
ïÔÐÒÁ×ÌÅÎÏ: 19 ÓÅÎÔÑÂÒÑ 2018 Ç. 23:31:28
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute entirely
(SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256

- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH

A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ ïÔ: Christopher Schultz
tomcat 7 with APR/tomcat-native
õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

Усманов Азат Анварович

2018-09-25 08:39:57 UTC

Permalink

Do I need to file a separate feature request for Tomcat itself?
The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)
________________________________
ïÔ: õÓÍÁÎÏ× áÚÁÔ áÎ×ÁÒÏ×ÉÞ <***@ieml.ru>
ïÔÐÒÁ×ÌÅÎÏ: 20 ÓÅÎÔÑÂÒÑ 2018 Ç. 12:05:07
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

I did file a feature -enhancement in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748

________________________________
ïÔ: Christopher Schultz <***@christopherschultz.net>
ïÔÐÒÁ×ÌÅÎÏ: 19 ÓÅÎÔÑÂÒÑ 2018 Ç. 23:31:28
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute entirely
(SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256

- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH

A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ ïÔ: Christopher Schultz
tomcat 7 with APR/tomcat-native
õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

Усманов Азат Анварович

2018-10-06 21:27:28 UTC

Permalink

I've been searching the web for any idea why Chrome can do throw empty response error with tls1.3 and found this bug https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it looks like the same sort of a problem,Interestingly enough it does have a fix. My knowledge of C is quite limited, so could anyone please look at the patch provided by these guys and see if it is of any use in case of tomcat-native ?

________________________________
ïÔ: õÓÍÁÎÏ× áÚÁÔ áÎ×ÁÒÏ×ÉÞ <***@ieml.ru>
ïÔÐÒÁ×ÌÅÎÏ: 25 ÓÅÎÔÑÂÒÑ 2018 Ç. 11:39
ëÏÍÕ: Tomcat Users List
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

Do I need to file a separate feature request for Tomcat itself?
The one I already filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for tomcat-native component. I looked through Tomcat changelog, I've found that previously TLS1.2 support was added via enhancement request to tomcat native . (https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)
________________________________
ïÔ: õÓÍÁÎÏ× áÚÁÔ áÎ×ÁÒÏ×ÉÞ <***@ieml.ru>
ïÔÐÒÁ×ÌÅÎÏ: 20 ÓÅÎÔÑÂÒÑ 2018 Ç. 12:05:07
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

I did file a feature -enhancement in bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=62748

________________________________
ïÔ: Christopher Schultz <***@christopherschultz.net>
ïÔÐÒÁ×ÌÅÎÏ: 19 ÓÅÎÔÑÂÒÑ 2018 Ç. 23:31:28
ëÏÍÕ: ***@tomcat.apache.org
ôÅÍÁ: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute entirely
(SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3 is
available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256

- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_SH

A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ ïÔ: Christopher Schultz
tomcat 7 with APR/tomcat-native
õÓÍÁÎÏ×,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

Christopher Schultz

2018-10-10 14:47:47 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Усманов,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I've been searching the web for any idea why Chrome can do throw
empty response error with tls1.3 and found this bug
https://bugzilla.redhat.com/show_bug.cgi?id=1619389 at fedora , it
looks like the same sort of a problem,Interestingly enough it does
have a fix. My knowledge of C is quite limited, so could anyone
please look at the patch provided by these guys and see if it is
of any use in case of tomcat-native ?

Have a look at the recent bug comments, especially Rainer's comment
about Chrome/ff versions.

- -chris

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ От: Усманов Азат Анварович
Tomcat Users List Тема: Re: TLS1.3 support for tomcat 7 with
APR/tomcat-native
Do I need to file a separate feature request for Tomcat itself? The
one I already
filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for
tomcat-native component. I looked through Tomcat changelog, I've
found that previously TLS1.2 support was added via enhancement
request to tomcat native .
(https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)
________________________________ От: Усманов Азат Анварович
APR/tomcat-native
I did file a feature -enhancement in bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
________________________________ От: Christopher Schultz
tomcat 7 with APR/tomcat-native
Усманов,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute
entirely (SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3
is available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
<Connector allowTrace="false" server=" " port="8443"
maxPostSize="10485760 " maxHttpHeaderSize="1048576"
protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000" redirectPort="8443"
SSLHonorCipherOrder="true"
SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
SSLCertificateKeyFile="/home/idis/server.key"
SSLCertificateChainFile="/home/idis/authorities.crt"
maxThreads="350" minSpareThreads="25" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
compression="force"
SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T

L
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD

HE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25

6
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S

H
A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in
order to allow a TLSv1.3 handshake to succeed.
But yes, it does indeed look like Tomcat requires some work.
Can you please file an enhancement request in Bugzilla?
Thanks, -chris

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ От: Christopher Schultz
tomcat 7 with APR/tomcat-native
Усманов,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I'm guessing it will not happen at least untill both Chrome
and firefox release their browser updates for RFC8446
support (which are both scheduled for Mid october Crome 70 and
firefox 63) but would like to know more about it

---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlu+ERMACgkQHPApP6U8
pFgOtQ//Xc4kGDv4wm0WdKg9pLzpMk9hNFMbL7F7H+Vx6n47QAfVKctd/AJhqLZN
OjYyu1PzVoQKzm2RjvBrkmQeo405iHXHeOSnTvMz1Z57T/im6emSFoTA9jUYpDZX
EDoDzgrCi6c7e53O06H1u3vXFG84VlU8oCyP9zgmdqXeBK5ce68msNmjBQJ+TRny
4WT7kqHq3dnUFnlPvhxfzbyBBSUbfFWP+m694Nm2NqYzA5HRoyl88LhVr4yNuI5R
vvkqs7F+EhHYcbxDXkOMxooE10KT8cSFgfvzfX6LzVtOUwQ2lFsI0ukZlmMOtO7H
iS+pP01Mzon8Zvws1k/G7VZHsfsNVBKNChp1J+hy0Oh8FIwABY+TeI82V6gsqK0a
ROzXqHx05TITTkQPr3qeMN3B5utgmFKUW89seuUz6qJM2f5wqh7YIUc4OROn2yBt
bmEV6BMCV4yUotYKfRP+T9ViR87Ig1XrY0s0zUvxsmWGcUbmDGM2c9vd2FCGub/l
3NIe0ru/mhKVRcFbwDODH2EnRuB71fRkS7vywTufWcHfDp66jzcNMa/LIpdmjza6
K9IgC0x1IZxRBdSbe6PvSgL1SuuJd454czpB4ymQfPOf93iWuM2R8SYnAvIx+4wM
Lxr9ejQpb+YxHky69UQQAsAoIU0Ko+oliqZ+fOgl51I5eCqHG7k=
=O61G
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Усманов Азат Анварович

2018-10-10 15:12:03 UTC

Permalink

Thanks Cristopher, I already did. All that$B!-(Bs left is to get the latest patch backported to tomcat 7

________________________________
$B'0'd(B: Christopher Schultz <***@christopherschultz.net>
$B'0'd'a'b'Q'S']'V'_'`(B: 10 $B'`'\'d'q'R'b'q(B 2018 $B'T(B. 17:47:47
$B','`'^'e(B: ***@tomcat.apache.org
$B'4'V'^'Q(B: Re: TLS1.3 support for tomcat 7 with APR/tomcat-native

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

$B'5'c'^'Q'_'`'S(B,

Have a look at the recent bug comments, especially Rainer's comment
about Chrome/ff versions.

- -chris

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ $B'0'd(B: $B'5'c'^'Q'_'`'S(B $B'!'Y'Q'd(B $B'!'_'S'Q'b'`'S'Z'i(B
Tomcat Users List $B'4'V'^'Q(B: Re: TLS1.3 support for tomcat 7 with
APR/tomcat-native
Do I need to file a separate feature request for Tomcat itself? The
one I already
filed(https://bz.apache.org/bugzilla/show_bug.cgi?id=62748) is for
tomcat-native component. I looked through Tomcat changelog, I've
found that previously TLS1.2 support was added via enhancement
request to tomcat native .
(https://bz.apache.org/bugzilla/show_bug.cgi?id=53952)
________________________________ $B'0'd(B: $B'5'c'^'Q'_'`'S(B $B'!'Y'Q'd(B $B'!'_'S'Q'b'`'S'Z'i(B
APR/tomcat-native
I did file a feature -enhancement in bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
________________________________ $B'0'd(B: Christopher Schultz
tomcat 7 with APR/tomcat-native
$B'5'c'^'Q'_'`'S(B,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
Hi Christopher! I did remove supportedProtocols attribute
entirely (SSL Labs server test confirms it ).

You mean that SSL Labs then tells you that other protocols are
available (e.g. TLSv1.0, etc.)? SSL Labs should tell you if TLSv1.3
is available, so testing with e.g. Chrome shouldn't be necessary.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
<Connector allowTrace="false" server=" " port="8443"
maxPostSize="10485760 " maxHttpHeaderSize="1048576"
protocol="org.apache.coyote.http11.Http11AprProtocol"
connectionTimeout="20000" redirectPort="8443"
SSLHonorCipherOrder="true"
SSLCertificateFile="/home/idis/STAR_ieml_ru.crt"
SSLCertificateKeyFile="/home/idis/server.key"
SSLCertificateChainFile="/home/idis/authorities.crt"
maxThreads="350" minSpareThreads="25" SSLEnabled="true"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
compression="force"
SSLCipherSuite="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,T

L
S_AES_128_GCM_SHA256,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GC

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
M-SHA384,ECDHE-ECDSA-AES256-GCM-SHA256,ECDHE-RSA-AES256-GCM-SHA384,ECD

HE
- -RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES128-GCM-SHA256,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES25

6
- -SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES256-SHA"/>

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I did put
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA384,TLS_AES_128_GCM_S

H
A256

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
as tls 1.3 ciphers for tls 1.3 , so my guess is that more work
is required for tls.1.3 to work in my case

Yes, you will definitely have to mention the TLSv1.3 ciphers in
order to allow a TLSv1.3 handshake to succeed.
But yes, it does indeed look like Tomcat requires some work.
Can you please file an enhancement request in Bugzilla?
Thanks, -chris

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
________________________________ $B'0'd(B: Christopher Schultz
tomcat 7 with APR/tomcat-native
$B'5'c'^'Q'_'`'S(B,

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I have a java7 web application that runs on tomcat 7.0.70 I'm
using Apr/tomcat-native w OpenSSL for TLS connections
.(Tomcat-native 1.2.17 APR 1.6,OpenSSL 1.1.1 RHEL 6 ) Latest
stable OpenSSL release (1.1.1) has TLS 1.3 support ,I have
upgraded to it successfully. My question is if and when
tomcat 7 will be upgraded to support TLS1.3 through w
APR/tomcat-native/OpenSSL? do such plans even exist?

Try not specifying any "supported protocol" (e.g. allow all
protocol flavors), and OpenSSL should allow TLSv1.3 to be
negotiated.

Post by Ð£ÑÐ¼Ð°Ð½Ð¾Ð² ÐÐ·Ð°Ñ ÐÐ½Ð²Ð°ÑÐ¾Ð²Ð¸Ñ
I'm guessing it will not happen at least untill both Chrome
and firefox release their browser updates for RFC8446
support (which are both scheduled for Mid october Crome 70 and
firefox 63) but would like to know more about it

---------------------------------------------------------------------

Christopher Schultz

2018-10-11 14:52:07 UTC

Permalink

Rémy Maucherat

2018-10-11 15:01:10 UTC

Permalink

On Thu, Oct 11, 2018 at 4:52 PM Christopher Schultz <

Post by Christopher Schultz
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ð£ÑÐŒÐ°ÐœÐŸÐ²,

Thanks Cristopher, I already did. All thatÂŽs left is to get the
latest patch backported to tomcat 7

For APR, it shouldn't be too much of an issue; it's just about getting
a qualifying tcnative build into tc7 and a little plumbing code.
My *guess* right now is that Tomcat 7 will not get any back-ports for
NIO[2] for either JSSE or OpenSSL, so Tomcat 7 will have incomplete
TLSv1.3 support.

Tomcat 7 cannot get NIO2 (it needs Java 7), and it didn't get the OpenSSL
engine either. So APR and vanilla JSSE with NIO (or java.io) are the only
possibilities.

RÃ©my