https://bz.apache.org/bugzilla/show_bug.cgi?id=62748
--- Comment #5 from Azat <usma...@ieml.ru> ---
Hi Christopher!
I did patch both tomcat7 src and tomcat-native with the patches you provided.
Results are kind of strange.
Tomcat7(I took 7.0.91 src) did compile(although I should mention that tomcat 7
trunk doesnt havejava/org/apache/tomcat/util/net/openssl/ folder so I didnot
patch last to java files you mention ) and actually show tls 1.3 being
supported both in sslabs test (which now supports RFC 8446 version ) and
htbridge SSLServer test, but as I used the chrome 70 Beta with final version of
TLS version enabled I wasn't able to connect to my site.Chrome beta showed me
ERR_CONNECTION_ABORTED message, changing tls 1.3 version flag value to draft-28
results in a tls 1.2 connection
here is the openssl client test
openssl s_client -connect debug.ieml.ru:8443
CONNECTED(00000005)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.ieml.ru
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Domain Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Domain Validation Secure Server CA
i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Certification Authority
2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN =
COMODO RSA Certification Authority
i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIRAPB4y44vTlpni/uQZalhG1cwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTcwNjI5MDAwMDAwWhcNMTkwODI5MjM1OTU5WjBWMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRIwEAYDVQQDDAkqLmllbWwucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDDPvJ/lpxUzUyI6xAI4vm+fJG76JPJ3PjVPWshE6DQ8FSOX1tz
x/77d7DHH3o73I1fZL26o8feq1tscHg5Hn/L4S+N3pPAqz3Q6Q98O3r6lzJtK5Yz
gfWCEx6tFNvuQ96G2rN6b+wwpbo42e+Ml9HejTH3F3tdgkZ9++jq2/xge/82tRfm
F7OdKpOl0HJhjyKb4ehck032lACLLzKaiVXwuvm0PFeNVMfGli6esVjvf6qUvXIe
dxfgJu5emAdFwAWSwJYQ61sUPt/o4G5SLFx4xaDaA0W5cK8Wtd2BGe12kDVstVft
hP7KKj/giXFQSIrC5JmIE4wr8c4yiHBcrwdjAgMBAAGjggHPMIIByzAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUs+5Z8D1kBsszi2+H
fbGGs7WeS7EwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMB0GA1UdEQQWMBSC
CSouaWVtbC5ydYIHaWVtbC5ydTANBgkqhkiG9w0BAQsFAAOCAQEAQTfwPlwQrEDN
Xm8cFJHnn7HhA0/fs/eaJ8SiSqZtUbPZar8V1fd0uIHElwQGTdxLBPktyAVBE7Ro
tP1QCU7Al6y0LMba1+aGIxGhVE7Ub7ntwPIPMs8Q68YZIC7oHBMtr6Qn34HF1lI0
CWHJqwWCv4UWwtwZcy4ab5tS+Nv1qd4O4fok9T/LTQCY5rbyCnhWfiRNMihLX2tk
/Cc5UvwUkS81c1A5sHgCLuqKPL7zCmJbcaFKPYTZEN2EUaKhT1jq06cmDfyXP6cq
4rmuaMxMxgsmDL4emO9LP9IfKmL3IvFngpkgAuNks/RiILFRuBv/EcF8C+FI46g5
PqY0SNxCGA==
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN =
*.ieml.ru
issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4869 bytes and written 395 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
BCDAE49D41F707C81AE136406724048C4574E1F2A8B4F729BB3C9512D0E17B0F
Session-ID-ctx:
Resumption PSK:
BC3DED93CC01ED5A35655E13B0B3CB40D03D44764E2811DA0A062BDD58891F010FD2A04ACF0E6E4B7ABF3B1FB4702E23
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 14400 (seconds)
TLS session ticket:
0000 - 79 c2 d0 14 d1 44 38 f4-c0 0f da d7 ab 63 49 eb y....D8......cI.
0010 - 40 e9 53 60 d0 b7 c4 ef-43 92 20 ff 0b c1 e4 d7 @.S`....C. .....
0020 - 3a 84 7c 94 b3 3a 68 53-b3 86 5b 5d 05 6d 43 c3 :.|..:hS..[].mC.
0030 - 5e 6d e6 d1 a3 9e 4e 1d-4a 7b 54 22 52 20 00 0e ^m....N.J{T"R ..
0040 - e6 e4 fa 87 f8 73 a4 28-1e 16 d6 5c a3 a1 8c 8f .....s.(...\....
0050 - 5b 5a 82 1d a2 27 e8 b9-48 7e 29 b0 22 ae 39 39 [Z...'..H~).".99
0060 - 3e 8d 50 a3 4c d7 4b 05-b1 1e 41 8d a2 e2 08 ac >.P.L.K...A.....
0070 - 0e 0b 3e 6f 07 6c 51 cf-5f b5 42 8d 39 9a 90 2c ..>o.lQ._.B.9..,
0080 - d6 7d 3a 71 b3 61 20 95-fc 89 f4 4c 02 21 8e b3 .}:q.a ....L.!..
0090 - 15 81 48 de 68 82 8e f9-c9 80 0e 1c 1e e3 fc dc ..H.h...........
00a0 - 80 a1 56 fa a7 56 28 6e-cf 03 ad 4c f2 81 63 cc ..V..V(n...L..c.
00b0 - 94 81 2d 68 e7 18 e7 5b-ee 55 b6 a8 27 15 cf 34 ..-h...[.U..'..4
00c0 - 7e cf 7f bd b9 65 77 d3-a8 f4 2e 6c c4 cf 26 69 ~....ew....l..&i
00d0 - 93 9f 21 9c ce 2c f8 16-3c 53 74 38 a6 97 7c e8 ..!..,..<St8..|.
00e0 - 2c 27 87 20 56 85 c1 fa-2e 7e 8b e8 a7 81 f3 ea ,'. V....~......
Start Time: 1538253974
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
C40AB861FA3D73B5E1AC944A9A260A40265906B810D811DBAF890BB0D0B9E453
Session-ID-ctx:
Resumption PSK:
618E754CE7A844E4A60CF0EE8CF76504FD3181512F927396B82F22ADFD71B8CC0E97FAA6FB1DACD7D1722A3363145E0A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 14400 (seconds)
TLS session ticket:
0000 - 79 c2 d0 14 d1 44 38 f4-c0 0f da d7 ab 63 49 eb y....D8......cI.
0010 - fa 34 ad a3 b3 d7 51 73-a2 98 ee 1d 1d ef b0 2d .4....Qs.......-
0020 - 6e 06 2e 6e 3f 2e 46 6a-a8 3b 8e 67 f5 d6 91 f3 n..n?.Fj.;.g....
0030 - 0f 04 3d 5a 19 8e f4 26-20 6e 05 85 8c 6c f6 db ..=Z...& n...l..
0040 - a6 75 5a 6e 1f f8 e7 f2-3b 0e 20 3e c3 55 79 01 .uZn....;. >.Uy.
0050 - ea 51 bb 15 5a 35 f8 34-11 35 2d e5 89 35 a7 2c .Q..Z5.4.5-..5.,
0060 - ec 8d 88 00 89 27 5b b8-75 f7 76 9d c1 c1 86 cb .....'[.u.v.....
0070 - 05 c3 a9 93 c7 8b 32 b9-e3 19 d6 f4 37 17 71 2c ......2.....7.q,
0080 - 03 d2 e6 6d 68 9d 6b 23-b6 bf 47 c2 76 1b f7 0c ...mh.k#..G.v...
0090 - c3 9b 51 fe 74 d9 c8 f3-4e 15 3e 4c d6 0c 6c ad ..Q.t...N.>L..l.
00a0 - c6 e1 4f 2b 49 a5 df 36-c5 b5 bb 4a fb 2a bf 0a ..O+I..6...J.*..
00b0 - 94 f5 68 84 36 f6 a7 05-61 53 3d 26 24 1c d0 2a ..h.6...aS=&$..*
00c0 - ed 3e ed 60 c6 ba 4d d4-7d dc b4 04 38 cf dc 6a .>.`..M.}...8..j
00d0 - d0 16 cb ba 13 a6 34 22-ed e0 b6 f2 69 f3 24 ee ......4"....i.$.
00e0 - 05 38 b3 82 d1 38 32 35-b8 e6 c0 6c 09 94 4e 25 .8...825...l..N%
Start Time: 1538253974
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
read:errno=0
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
