Enable only TLSv1.3 for IBM SDK8 and Tomcat 7.0.108 on AIX 7.1

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Enable only TLSv1.3 for IBM SDK8 and Tomcat 7.0.108 on AIX 7.1

Arun Shankar
Hello,
We have a requirement to enable TLS traffic to only use TLS 1.3. We are currently on Tomcat version 7.0.53, which I learned does not support TLSv1.3 (I need to be atleast on Tomcat version 7.0.92 to have TLS 1.3 support from Tomcat (assuming the underlying Java supports it as well)).
So I upgraded to the latest version of Tomcat 7 - Tomcat 7.0.108.
Now when I enable TLSv1.3 by setting sslEnabledProtocols="TLSv1.3" in server.xml of Tomcat, I get the below error: 
SEVERE: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)            at com.ibm.jsse2.Z.<init>(Z.java:287)            at com.ibm.jsse2.ac.<init>(ac.java:9)            at com.ibm.jsse2.ba.a(ba.java:52)            at com.ibm.jsse2.bf.beginHandshake(bf.java:84)            at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:91)            at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:73)            at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:677)            at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:844)            at java.lang.Thread.run(Thread.java:822)
If I set sslEnabledProtocols="TLSv1.2,TLSv1.3" in server.xml of Tomcat, I do not see the error but the client browser (Chrome) connects on TLSv1.2 and not on TLSv1.3. 
I then tried the same operations as above on Tomcat 8.5.35 and Tomcat 9.0.13 and I do not see this error. But we have a requirement to stay on Tomcat 7 because of vendor support licensing. Please help.
Reply | Threaded
Open this post in threaded view
|

Re: Enable only TLSv1.3 for IBM SDK8 and Tomcat 7.0.108 on AIX 7.1

Christopher Schultz-2
Arun,

On 4/1/21 12:41, Arun Shankar wrote:
> Hello,
> We have a requirement to enable TLS traffic to only use TLS 1.3. We are currently on Tomcat version 7.0.53, which I learned does not support TLSv1.3 (I need to be atleast on Tomcat version 7.0.92 to have TLS 1.3 support from Tomcat (assuming the underlying Java supports it as well)).
> So I upgraded to the latest version of Tomcat 7 - Tomcat 7.0.108.
> Now when I enable TLSv1.3 by setting sslEnabledProtocols="TLSv1.3" in server.xml of Tomcat, I get the below error:
> SEVERE: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)            at com.ibm.jsse2.Z.<init>(Z.java:287)            at com.ibm.jsse2.ac.<init>(ac.java:9)            at com.ibm.jsse2.ba.a(ba.java:52)            at com.ibm.jsse2.bf.beginHandshake(bf.java:84)            at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:91)            at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:73)            at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:677)            at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:844)            at java.lang.Thread.run(Thread.java:822)

This happens when you try to make a connection, right? Or does it give
you that error on startup?

What client are you using to connect?

In order to verify that your JVM is doing what you expect, try using
this utility:
https://github.com/ChristopherSchultz/ssltest

Build it then run it like this:

$ java -jar ssltest.jar -client-info

You should see the list of TLS protocols supported at the top of the
output. You can also use that to test your server once it's running:

$ java -jar ssltest.jar localhost:8443

(or whatever your host:port is)

> If I set sslEnabledProtocols="TLSv1.2,TLSv1.3" in server.xml of
> Tomcat, I do not see the error but the client browser (Chrome)
> connects on TLSv1.2 and not on TLSv1.3.
Try the above utility to see what TLSv1.2,TLSv1.3 gets you in your
configuration. (Run it against the running server to see the effective
protocols.)

> I then tried the same operations as above on Tomcat 8.5.35 and
> Tomcat 9.0.13 and I do not see this error.

That does suggest that (a) your JVM does indeed support TLSv1.3 and (b)
your configuration is correct.

Last bit of missing information: when you use Tomcat 8.5/9.0 and don't
see this error... does your client connect with TLSv1.3?

> But we have a requirement to stay on Tomcat 7 because of vendor
> support licensing.
:(

Can you please post your current <Connector> from your Tomcat 7.0.108
conf/server.xml file? Remember to remove any secrets which may be in there.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]