You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/06/28 09:44:57 UTC
[Bug 65401] New: do no silently fail on
javax.net.ssl.SSLHandshakeException "No appropriate protocol (protocol is
disabled or cipher suites are inappropriate)"
https://bz.apache.org/bugzilla/show_bug.cgi?id=65401
Bug ID: 65401
Summary: do no silently fail on
javax.net.ssl.SSLHandshakeException "No appropriate
protocol (protocol is disabled or cipher suites are
inappropriate)"
Product: Tomcat 9
Version: 9.0.43
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: hauser@acm.org
Target Milestone: -----
Upgrading from java8 to java11 to enable TLSv1.3
openssl s_client -tls1_3 -connect localhost:8443
failed miserably with no traces in the usual logs.
Turns out that the problem is
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is
disabled or cipher suites are inappropriate)
at
java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
at
java.base/sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
at
java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:218)
at
java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:103)
at
org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:360)
with the statement
sslEngine.beginHandshake();
Suggestions:
1) catch this exception around SecureNioChannel:360 print-out the protocol(s)
and cipher(s) currently enabled and then re-throw or wrap the exception with an
enclosing exception with this info
2) In NioEndPoint$SocketProcessor.doRun():1674 do not only log if on debug
granulary, but in this case with "warn" as no ssl-handshake will ever work
3) in https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
a) mention TLSv1.3
b) say that it might have different ciphers than TLSv1.2 without overlap
(even https://www.ssllabs.com/ssltest/analyze.html?d=www.ssllabs.com only has
3)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65401] do no silently fail on javax.net.ssl.SSLHandshakeException "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65401
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I've spent a bit of time looking into this today.
It appears that the TLS error message have been improved and that a clearer
exception is thrown from a different point in the process.
I have also added a dedicated logger for TLS handshake failures. If you only
want debug logging for handshake failures then you can enable debug logging for
org.apache.tomcat.util.net.NioEndpoint.handshake
or
org.apache.tomcat.util.net.Nio2Endpoint.handshake
as appropriate.
With a recent JRE and latest Tomcat, I think this is addressed. If there is
still a combination where the error message is missing / unhelpful feel free to
re-open this issue and provide the configuration details and openssl client
command to trigger the issue and we can take another look.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org