|Summary:||Enabling TLSv1.3 with the APR connector breaks TLSv1.0 and TLSv1.1|
|Product:||Tomcat Native||Reporter:||Dean Rasheed <dean.a.rasheed>|
|Component:||Library||Assignee:||Tomcat Developers Mailing List <dev>|
|Attachments:||Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled|
Description Dean Rasheed 2018-11-23 10:23:18 UTC
Created attachment 36275 [details] Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled I'm using Tomcat 8.5 with the APR connector and OpenSSL 1.1.1. I just upgraded to Tomcat 8.5.35 / Tomcat Native 1.2.18 and found that if TLSv1.3 is enabled (which it is by default with the default setting of protocols="all"), support for TLSv1.0 and TLSv1.1 gets disabled, breaking older clients. I can work around this by disabling TLSv1.3, for example, by setting protocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" but as soon as I add TLSv1.3, TLSv1.0 and TLSv1.1 get disabled. Looking into it, this appears to be a fairly trivial copy-and-paste error in the Tomcat Native code in sslcontext.c -- when scanning for the minimal protocol version number to pass to SSL_CTX_set_min_proto_version(), the code in the "#ifdef HAVE_TLSV1_3" block should not have a dangling "else" clause, because (unlike the preceding code to find the maximum protocol version number), this is a series of "if" tests, not an if-else-if-else chain. Attached is a patch which I've tested using SSLLabs, and confirmed that it allows all TLS versions to be enabled, and retains compatibility against older clients.
Comment 1 Mark Thomas 2018-11-23 12:44:39 UTC
Thanks for the report and the patch. I've applied the patch for 1.2.19 onwards. I'll start looking at getting a release out with a view to picking up this fix in the next round of Tomcat releases.