https://bz.apache.org/bugzilla/show_bug.cgi?id=62944
Bug ID: 62944
Summary: Enabling TLSv1.3 with the APR connector breaks TLSv1.0
and TLSv1.1
Product: Tomcat Native
Version: 1.2.18
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Library
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Created attachment 36275
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36275&action=edit
Fix the code that scans for the minimal protocol version number if TLSv1.3 is
enabled
I'm using Tomcat 8.5 with the APR connector and OpenSSL 1.1.1. I just
upgraded to Tomcat 8.5.35 / Tomcat Native 1.2.18 and found that if
TLSv1.3 is enabled (which it is by default with the default setting of
protocols="all"), support for TLSv1.0 and TLSv1.1 gets disabled, breaking
older clients.
I can work around this by disabling TLSv1.3, for example, by setting
protocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
but as soon as I add TLSv1.3, TLSv1.0 and TLSv1.1 get disabled.
Looking into it, this appears to be a fairly trivial copy-and-paste
error in the Tomcat Native code in sslcontext.c -- when scanning for
the minimal protocol version number to pass to
SSL_CTX_set_min_proto_version(), the code in the "#ifdef HAVE_TLSV1_3"
block should not have a dangling "else" clause, because (unlike the
preceding code to find the maximum protocol version number), this is a
series of "if" tests, not an if-else-if-else chain.
Attached is a patch which I've tested using SSLLabs, and confirmed that it
allows all TLS versions to be enabled, and retains compatibility against
older clients.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
