Bug 62944

Summary: Enabling TLSv1.3 with the APR connector breaks TLSv1.0 and TLSv1.1
Product: Tomcat Native Reporter: Dean Rasheed <dean.a.rasheed>
Component: LibraryAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 1.2.18   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled

Description Dean Rasheed 2018-11-23 10:23:18 UTC
Created attachment 36275 [details]
Fix the code that scans for the minimal protocol version number if TLSv1.3 is enabled

I'm using Tomcat 8.5 with the APR connector and OpenSSL 1.1.1. I just
upgraded to Tomcat 8.5.35 / Tomcat Native 1.2.18 and found that if
TLSv1.3 is enabled (which it is by default with the default setting of
protocols="all"), support for TLSv1.0 and TLSv1.1 gets disabled, breaking
older clients.

I can work around this by disabling TLSv1.3, for example, by setting


but as soon as I add TLSv1.3, TLSv1.0 and TLSv1.1 get disabled.

Looking into it, this appears to be a fairly trivial copy-and-paste
error in the Tomcat Native code in sslcontext.c -- when scanning for
the minimal protocol version number to pass to
SSL_CTX_set_min_proto_version(), the code in the "#ifdef HAVE_TLSV1_3"
block should not have a dangling "else" clause, because (unlike the
preceding code to find the maximum protocol version number), this is a
series of "if" tests, not an if-else-if-else chain.

Attached is a patch which I've tested using SSLLabs, and confirmed that it 
allows all TLS versions to be enabled, and retains compatibility against 
older clients.
Comment 1 Mark Thomas 2018-11-23 12:44:39 UTC
Thanks for the report and the patch. I've applied the patch for 1.2.19 onwards.

I'll start looking at getting a release out with a view to picking up this fix in the next round of Tomcat releases.