Steps to reproduce: 1. download tomcat 8.5.0 release candidate. 2. uncomment the following configuration: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig honorCipherOrder="false" > <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector> --> 3. adjust the certificate configurations 4. start tomcat Observed result: There is NoSuchMethodException appeared in standard output. 22-Mar-2016 13:51:30.539 WARNING [main] org.apache.tomcat.util.IntrospectionUtils.setProperty IntrospectionUtils: InvocationTargetException for class org.apache.tomcat.util.net.SSLHostConfig honorCipherOrder=false) java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.tomcat.util.IntrospectionUtils.setProperty(IntrospectionUtils.java:126) at org.apache.tomcat.util.IntrospectionUtils.setProperty(IntrospectionUtils.java:47) at org.apache.tomcat.util.digester.SetPropertiesRule.begin(SetPropertiesRule.java:72) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1188) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:509) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1363) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2786) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:510) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:848) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:777) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141) at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213) at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:648) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1461) at org.apache.catalina.startup.Catalina.load(Catalina.java:578) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: java.lang.UnsupportedOperationException: Java Runtime does not support "useServerCipherSuitesOrder". You must use Java 8 or later to use this feature. at org.apache.tomcat.util.net.SSLHostConfig.setHonorCipherOrder(SSLHostConfig.java:354) ... 27 more Caused by: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setUseCipherSuitesOrder(boolean) at java.lang.Class.getMethod(Class.java:1670) at org.apache.tomcat.util.net.SSLHostConfig.setHonorCipherOrder(SSLHostConfig.java:352) ... 27 more Suggested fix: in conf/server.xml, remove honorCipherOrder="false" from the default configuration: <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig> <Certificate certificateKeyFile="conf/localhost-rsa-key.pem" certificateFile="conf/localhost-rsa-cert.pem" certificateChainFile="conf/localhost-rsa-chain.pem" type="RSA" /> </SSLHostConfig> </Connector> -->
Created attachment 33689 [details] remove honorCipherOrder in SSLConfig configuration
Hi, Thanks for the report and the patch. The fix will be available from 9.0.0.M5 and 8.5.1 onwards. Regards, Violeta
Hi Violeta, Should this patch be applied to 9.0.0.x? I main concern is: Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat will prefer a cipher suite that is blacklisted by HTTP/2. [1] [1] http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/Http2UpgradeHandler.html
(In reply to Huxing Zhang from comment #3) > Hi Violeta, > > Should this patch be applied to 9.0.0.x? I main concern is: > Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat > will prefer a cipher suite that is blacklisted by HTTP/2. [1] Yep you are right I'll revert that in 9.0.0.x Thanks, Violeta > [1] > http://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/coyote/http2/ > Http2UpgradeHandler.html
(In reply to Huxing Zhang from comment #3) > Hi Violeta, > > Should this patch be applied to 9.0.0.x? I main concern is: > Tomcat needs to be configured with honorCipherOrder="false" otherwise Tomcat > will prefer a cipher suite that is blacklisted by HTTP/2. If that cipher suite has been blacklisted by h2, then why are you specifying it in your cipher suites list, or why are you specifying it early in the list of supported cipher suites?
Hi, I think specifying cipher suites is another solution, but may be more complicate, because: 1) we don't know what http version client will use, HTTP/1.x over TLS or HTTP/2 over TLS 2) different client may support different protocols, e.g. ECDHE-ECDSA-CHACHA20-POLY1305 is only supported by Chrome You have to care about the cipher list, as well as the cipher order.