| Summary: | Enabling TLSv1.3 with the APR connector breaks TLSv1.0 and TLSv1.1 | ||
|---|---|---|---|
| Product: | Tomcat Native | Reporter: | Dean Rasheed <dean.a.rasheed> |
| Component: | Library | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 1.2.18 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Attachments: | Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled | ||
Thanks for the report and the patch. I've applied the patch for 1.2.19 onwards. I'll start looking at getting a release out with a view to picking up this fix in the next round of Tomcat releases. |
Created attachment 36275 [details] Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled I'm using Tomcat 8.5 with the APR connector and OpenSSL 1.1.1. I just upgraded to Tomcat 8.5.35 / Tomcat Native 1.2.18 and found that if TLSv1.3 is enabled (which it is by default with the default setting of protocols="all"), support for TLSv1.0 and TLSv1.1 gets disabled, breaking older clients. I can work around this by disabling TLSv1.3, for example, by setting protocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" but as soon as I add TLSv1.3, TLSv1.0 and TLSv1.1 get disabled. Looking into it, this appears to be a fairly trivial copy-and-paste error in the Tomcat Native code in sslcontext.c -- when scanning for the minimal protocol version number to pass to SSL_CTX_set_min_proto_version(), the code in the "#ifdef HAVE_TLSV1_3" block should not have a dangling "else" clause, because (unlike the preceding code to find the maximum protocol version number), this is a series of "if" tests, not an if-else-if-else chain. Attached is a patch which I've tested using SSLLabs, and confirmed that it allows all TLS versions to be enabled, and retains compatibility against older clients.