product-is icon indicating copy to clipboard operation
product-is copied to clipboard

Published 20 hours ago verified publisher icon wso2

Enable TLS 1.3 on Tomcat

Open hwupathum opened this issue 1 year ago • 3 comments

TLS 1.3 which is the latest version of TLS protocol is not enabled by default in wso2-is.

Additional Information

Openssl can be used to check if TLS 1.3 is enable.

echo Q | timeout 1 openssl s_client -connect localhost:9443 -tls1_3 2>/dev/null

Using the following config can enable the TLS 1.3

[transport.https.sslHostConfig.properties]
protocols = "TLSv1+TLSv1.1+TLSv1.2+TLSv1.3"

hwupathum avatar Dec 06 '23 10:12 hwupathum

The related PRs are merged. Can be closed after the next kernel release

hwupathum avatar Feb 08 '24 05:02 hwupathum

Reverted the changes with https://github.com/wso2/product-is/pull/19581 due to the issue https://github.com/wso2/product-is/issues/19575

CC: @hwupathum , @Thisara-Welmilla

UdeshAthukorala avatar Feb 14 '24 12:02 UdeshAthukorala

When TLS 1.3 is enabled, following warning can be seen in logs

[2024-02-20 11:00:02,343] []  WARN {org.apache.tomcat.util.net.SSLUtilBase} - The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication

TLS 1.3 Post-handshake authentication is not implemented in JSSE implementation https://bugs.openjdk.org/browse/JDK-8206923.

The solution is to either disable the config (certificateVerification in SSLHostConfig) or use use Tomcat’s native bindings for APR/OpenSSL. https://stackoverflow.com/questions/64182147/springboot-mvc-warning-org-apache-tomcat-util-net-sslutilbase-the-jsse-tls

hwupathum avatar Feb 20 '24 05:02 hwupathum