You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Alten, Jessica-Aileen" <Je...@leibniz-liag.de> on 2019/08/07 12:33:54 UTC
Problem with OpenSSL cipher suites -what's wrong with this
configuration?
Dear all,
I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using
jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3
works, but I want to specify the allowed cipher suites as well.
The relevant parts of server.xml are:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
...
<Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat
ion">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
<SSLHostConfig protocols="TLSv1.3">
<Certificate
certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas
e-8080/conf/keystore-pkcs12.jks"
certificateKeystorePassword="mypassword"
certificateKeystoreAlias="myalias" />
</SSLHostConfig>
</Connector>
This configuration works! When I connect to the server, Firefox says under
technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key,
TLS 1.3).
But when I try to specify the cipher suites like: <SSLHostConfig
protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">
Tomcat throws an exception and TLS does not work! Errror code in the browser
is: SSL_ERROR_RX_RECORD_TOO_LONG
That is the most simplified version, first I tried these three:
ciphers=""TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result.
I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat
works with openSSL and TLSv1.3 as shown above.
The relevant part of the catalina log is:
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
based Apache Tomcat Native library [1.2.23] using APR version [1.7.0].
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
capabilities: IPv6 [true], sendfile [true], accept filters [false], random
[true].
07-Aug-2019 13:41:38.183 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
07-Aug-2019 13:41:38.198 INFORMATION [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.1.1c 28 May 2019]
07-Aug-2019 13:41:38.370 INFORMATION [main]
org.apache.coyote.AbstractProtocol.init Initialisiere
ProtocolHandler["http-nio-8080"]
07-Aug-2019 13:41:38.417 INFORMATION [main]
org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
["https-openssl-apr-8181"] connector has been configured to support
negotiation to h2] via ALPN
07-Aug-2019 13:41:38.417 INFORMATION [main]
org.apache.coyote.AbstractProtocol.init Initialisiere
ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG
[main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim
initialisieren des SSL Contexts java.lang.Exception: Unable to configure
permitted SSL ciphers (error:1410D0B9:SSL
routines:SSL_CTX_set_cipher_list:no cipher match)
at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2
43)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403
)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint
.java:1124)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.
java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
33)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105
9)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Can anybody help?
Kind regards,
Jessica
Re: Problem with OpenSSL cipher suites -what's wrong with thisconfiguration?
Posted by logo <lo...@kreuser.name>.
Mark,
Am 08.08.2019 11:45, schrieb Mark Thomas:
> On 08/08/2019 10:15, Alten, Jessica-Aileen wrote:
>
>> Therefore, I guess Tomcat cannot interpret these cipher suites for TLS
>> 1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c
>> and JDK 8 (again: I am not talking about JSSE here, it can only do TLS
>> 1.2)?
>
> Tomcat supports configuring the ciphers for TLSv1.2 and below.
>
> Tomcat does not (yet) support configuring the ciphersuites for TLS1.3
> and above.
that's good to know. Any timeline (if it is necessary at all)? Does that
mean if only protocol is TLSv1.3, no cipher string is used? Or only the
TLS1.3 ciphers? Should "HIGH:..." work?
Peter
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problem with OpenSSL cipher suites -what's wrong with this
configuration?
Posted by Mark Thomas <ma...@apache.org>.
On 08/08/2019 10:15, Alten, Jessica-Aileen wrote:
> Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c
> and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)?
Tomcat supports configuring the ciphers for TLSv1.2 and below.
Tomcat does not (yet) support configuring the ciphersuites for TLS1.3
and above.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Problem with OpenSSL cipher suites -what's wrong with this
configuration?
Posted by "Alten, Jessica-Aileen" <Je...@leibniz-liag.de>.
> > I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using
> > jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle
> > TLSv1.3 works, but I want to specify the allowed cipher suites as well.
> >
> > The relevant parts of server.xml are:
> > <Listener className="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
> > ...
> > <Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol"
> > maxThreads="150" SSLEnabled="true"
> > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
> > <SSLHostConfig protocols="TLSv1.3">
> > <Certificate
> > certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-base-8080/conf/keystore-pkcs12.jks"
> > certificateKeystorePassword="mypassword" certificateKeystoreAlias="myalias" />
> > </SSLHostConfig>
> > </Connector>
> >
> > This configuration works! When I connect to the server, Firefox says
> > under technical details: Connection encrypted (TLS_AES_128_GCM_SHA256,
> > 128bit key, TLS 1.3).
> >
> > But when I try to specify the cipher suites like: <SSLHostConfig
> > protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">
>
> You have to use OpenSSL cipher names in this case. Like this...
>
> ciphers="HIGH:ECDHE-ECDS�A-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY�1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
> RS�A-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-�SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-�AES128-GCM-
> SHA256:DHE-RSA-AES256-GCM-SHA384�:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128�-SHA256:ECDHE-ECDSA-AES128-
> SHA:ECDHE-RSA-AE�S256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDS�A-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDH�E-RSA-
> AES256-SHA:DHE-RSA-AES128-SHA256:DHE-�RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RS�A-AES256-SHA:AES128-GCM-
> SHA256:AES256-GCM-S�HA384:AES128-SHA256:AES256-SHA256:AES128-SH�A:AES256-SHA:!DSS">
This cipher suite works fine for TLSv1.2. However, I only want to use TLSv1.3 with its cipher suites.
I installed openssl 1.1.1c and if I type "openssl ciphers -s -tls1_3" openSSL will return
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
in exactly this spelling, with underscores, not with hyphens as in the other cipher suites. I tried it with hyphens in Tomcat - but
it does not work either.
Therefore, I guess Tomcat cannot interpret these cipher suites for TLS 1.3. So is this possibly a bug in Tomcat with openSSL 1.1.1c
and JDK 8 (again: I am not talking about JSSE here, it can only do TLS 1.2)?
Kind regards,
Jessica
Re: Problem with OpenSSL cipher suites -what's wrong with this
configuration?
Posted by Peter Kreuser <lo...@kreuser.name>.
Jessica,
Peter Kreuser
> Am 07.08.2019 um 14:33 schrieb Alten, Jessica-Aileen <Je...@leibniz-liag.de>:
>
> Dear all,
>
> I have a problem with the Tomcat 9.0.22 configuration for TLSv1.3 using
> jdk8u222-b10_openj9-0.15.1 on Windows Server 2016. In principle TLSv1.3
> works, but I want to specify the allowed cipher suites as well.
>
> The relevant parts of server.xml are:
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
> ...
> <Connector port="8181" protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150" SSLEnabled="true"
> sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementat
> ion">
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
> <SSLHostConfig protocols="TLSv1.3">
> <Certificate
> certificateKeystoreFile="D:/ProgramFiles/ApacheSoftwareFoundation/tomcat-bas
> e-8080/conf/keystore-pkcs12.jks"
> certificateKeystorePassword="mypassword"
> certificateKeystoreAlias="myalias" />
> </SSLHostConfig>
> </Connector>
>
> This configuration works! When I connect to the server, Firefox says under
> technical details: Connection encrypted (TLS_AES_128_GCM_SHA256, 128bit key,
> TLS 1.3).
>
> But when I try to specify the cipher suites like: <SSLHostConfig
> protocols="TLSv1.3" ciphers="TLS_AES_128_GCM_SHA256">
You have to use OpenSSL cipher names in this case. Like this...
ciphers="HIGH:ECDHE-ECDS�A-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY�1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RS�A-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-�SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-�AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384�:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128�-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AE�S256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDS�A-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDH�E-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-�RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RS�A-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-S�HA384:AES128-SHA256:AES256-SHA256:AES128-SH�A:AES256-SHA:!DSS">
> Tomcat throws an exception and TLS does not work! Errror code in the browser
> is: SSL_ERROR_RX_RECORD_TOO_LONG
The error in the logs below shows the initialization error in the ciphers attribute and thus no ciphers are available...
Peter
>
> That is the most simplified version, first I tried these three:
> ciphers=""TLS_AES_128_GCM_SHA256,
> TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256". Same result.
>
> I know, Java JSSE 1.8 does not support TLSv1.3, but openSSL does and Tomcat
> works with openSSL and TLSv1.3 as shown above.
>
> The relevant part of the catalina log is:
>
> 07-Aug-2019 13:41:38.183 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR
> based Apache Tomcat Native library [1.2.23] using APR version [1.7.0].
> 07-Aug-2019 13:41:38.183 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random
> [true].
> 07-Aug-2019 13:41:38.183 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
> configuration: useAprConnector [false], useOpenSSL [true]
> 07-Aug-2019 13:41:38.198 INFORMATION [main]
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
> successfully initialized [OpenSSL 1.1.1c 28 May 2019]
> 07-Aug-2019 13:41:38.370 INFORMATION [main]
> org.apache.coyote.AbstractProtocol.init Initialisiere
> ProtocolHandler["http-nio-8080"]
> 07-Aug-2019 13:41:38.417 INFORMATION [main]
> org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The
> ["https-openssl-apr-8181"] connector has been configured to support
> negotiation to h2] via ALPN
> 07-Aug-2019 13:41:38.417 INFORMATION [main]
> org.apache.coyote.AbstractProtocol.init Initialisiere
> ProtocolHandler["https-openssl-apr-8181"] 07-Aug-2019 13:41:38.823 WARNUNG
> [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Fehler beim
> initialisieren des SSL Contexts java.lang.Exception: Unable to configure
> permitted SSL ciphers (error:1410D0B9:SSL
> routines:SSL_CTX_set_cipher_list:no cipher match)
> at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
> at
> org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:2
> 43)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247
> )
> at
> org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:403
> )
> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:369)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint
> .java:1124)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.
> java:74)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> 33)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:105
> 9)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62
> )
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
> .java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>
>
> Can anybody help?
>
> Kind regards,
> Jessica
>