On 18/12/2025 12:58, Rainer Jung wrote:
I was analyzing it using 9.0.113 but I think I also saw it for 10.1.50.
JVM was from various 1.8.0 vendor for TC 9 and at least adopt 11 for
10.1.50 (I then stopped testing).
Bingo. Now I know what is going on.
Those versions have a default value of ciphers of:
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"
That doesn't include the default TLS 1.3 ciphers so when we run a test
that uses only TLS 1.3 the new native code fails because no TLS 1.3
ciphers are set.
I was testing with 9.0.x etc where the default for ciphers is now:
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
We need to figure out how to make this work for older versions.
I think we need to be able to differentiate between Tomcat <= 11.0.15,
<= 10.1.50 and <= 9.0.113 configuring protocols="TLSv1.3" and the
default ciphers that only includes TLSv1.2 ciphers (should use default
ciphers for TLSv1.3) and newer versions of Tomcat that configure
protocols="TLSv1.3" and an explicit ciphers value without any TLSv1.3
ciphers (should fail).
I think the only way to do this is with a new Tomcat Native method that
sets cipher suites for TLS 1.2 and TLS 1.3. I think that is the only way
to distinguish between these scenarios.
How about:
public static native boolean setCipherSuites(long ctx, String cipherSuites)
(note the extra "s" at the end of the method name)
with the old method deprecated?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
