Created attachment 36275 [details] Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled I'm using Tomcat 8.5 with the APR connector and OpenSSL 1.1.1. I just upgraded to Tomcat 8.5.35 / Tomcat Native 1.2.18 and found that if TLSv1.3 is enabled (which it is by default with the default setting of protocols="all"), support for TLSv1.0 and TLSv1.1 gets disabled, breaking older clients. I can work around this by disabling TLSv1.3, for example, by setting protocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" but as soon as I add TLSv1.3, TLSv1.0 and TLSv1.1 get disabled. Looking into it, this appears to be a fairly trivial copy-and-paste error in the Tomcat Native code in sslcontext.c -- when scanning for the minimal protocol version number to pass to SSL_CTX_set_min_proto_version(), the code in the "#ifdef HAVE_TLSV1_3" block should not have a dangling "else" clause, because (unlike the preceding code to find the maximum protocol version number), this is a series of "if" tests, not an if-else-if-else chain. Attached is a patch which I've tested using SSLLabs, and confirmed that it allows all TLS versions to be enabled, and retains compatibility against older clients.
Thanks for the report and the patch. I've applied the patch for 1.2.19 onwards. I'll start looking at getting a release out with a view to picking up this fix in the next round of Tomcat releases.