Reputation: 935
How to enable TLSv1.3 in tomcat 8.5.5 using JSSE implementation
We are running a spring boot application on tomcat server 8.5.5. We have security certificates and SSL configured for it to support https. Currently is uses TLSv1.2. Our payment gateway provider has plans to discontinue TLSv1.2 support and continue support for only TLSv1.3. Hence we want to add TLSv1.3 support to our application server. Our connector block with the required ciphers for TLSv1.3 is below.
<Connector port="443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/ubuntu/ourkey.p9"
keystorePass="ourpass" clientAuth="false" keystoreType="keystore"
sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2+TLSv1.3" protocol="org.apache.coyote.http11.Http11NioProtocol" server="Web"
useServerCipherSuitesOrder="true"
ciphers="TLS_AES_256_GCM_SHA384,
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
TLS_AES_128_CCM_8_SHA256,
TLS_AES_128_CCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,... other ciphers/>
We are using the JSSE implemetation and so far no concrete documntation could be found for tomcat. The official doc has the connector block as below:
<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Here the sslProtocol attribute has TLS which by defaults to TLS version 1.2. We tried it changing to TLSv1.3 but did not work. Also, as mentioned here tried adding the sslEnabledProtocol attribute. That did not work as well. We addded the necessary ciphers needed for a TLSv1.3 handshake to be successful.
How can we configure the server.xml connector block for it to support TLSv1.3 is what we are trying to figure out. Any inputs, hints would be helpful.
Upvotes: 2
Views: 7483
Answers (1)
Reputation: 1
Use both sslProtocol="TLS" and sslEnabledProtocols="TLSv1.2+TLSv1.3".
That works for me (on tomcat 9 with java 13.0.1)
Upvotes: 0
Related Questions
- Enable TLS 1.2 only in apache-tomcat-9 and Java 8
- How to Disable TLSv1.2 in Java 8
- How to enable TLS1.2 for tomcat webserver connections We are using tomcat 7.0.82
- How to enable TLS 1.2 in local Tomcat?
- Tomcat 6 and TLSv1.2 In Java
- How to configure Tomcat to use TLS v1.2 in OUTBOUND connections
- Using TLS 1.2 from java 6
- Tomcat: TLSv1.2 with strong ciphers not working
- How do I disable SSLv3 in tomcat?
- Tomcat7 enable tlsv1.1 using APR Connector