Open toby1984 opened 2 years ago
@toby1984 Do you happen to know if this issue is over APR/OpenSSL or JSSE implementation?
This is somewhat tricky as OpenSSL won't control any TLSv1.3-related configuration via the <SSLHostConfig ciphers/>
as it uses different APIs for that; on the other hand JSSE treats them equally so if they're not in the list they won't be used for handshake it seems…
At least on my CentOS7 system with JDK16 (OpenJDK, Temurin)
and Apache Tomcat 9.0.54 (downloaded from tomcat.apache.org) the generated server.xml did not work correctly. I would only ever get TLSv1.2 connections and "openssl s_client -tls1_3 ..." failed.
Enabling SSL debugging on the JVM using -Djavax.net.debug=ssl,handshake printed the following error:
I attached a remote debugger to the JVM and stepped through HandshakeContext#getActiveProtocols() and the CipherSuite#supports() calls in
returns FALSE for TLS13 and all cipher suites the SSL configuration generator suggested. To fix this, I had to add the following additional cipher suites to my server.xml: