Bug 65401 - do no silently fail on javax.net.ssl.SSLHandshakeException "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"
Summary: do no silently fail on javax.net.ssl.SSLHandshakeException "No appropriate p...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 9.0.43
Hardware: All Linux
: P2 enhancement (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-28 09:44 UTC by Ralf Hauser
Modified: 2022-06-13 18:47 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Hauser 2021-06-28 09:44:57 UTC 
Upgrading from java8 to java11 to enable TLSv1.3 

  openssl s_client -tls1_3 -connect localhost:8443

failed miserably with no traces in the usual logs.

Turns out that the problem is

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
	at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163)
	at java.base/sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
	at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:218)
	at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:103)
	at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:360)


with the statement
    sslEngine.beginHandshake();

Suggestions:
1) catch this exception around SecureNioChannel:360 print-out the protocol(s) and cipher(s) currently enabled and then re-throw or wrap the exception with an enclosing exception with this info
2) In NioEndPoint$SocketProcessor.doRun():1674  do not only log if on debug granulary, but in this case with "warn" as no ssl-handshake will ever work
3) in https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
  a) mention TLSv1.3
  b) say that it might have different ciphers than TLSv1.2 without overlap
(even https://www.ssllabs.com/ssltest/analyze.html?d=www.ssllabs.com only has 3)
Comment 1 Mark Thomas 2022-06-13 18:47:08 UTC 
I've spent a bit of time looking into this today.

It appears that the TLS error message have been improved and that a clearer exception is thrown from a different point in the process.

I have also added a dedicated logger for TLS handshake failures. If you only want debug logging for handshake failures then you can enable debug logging for

org.apache.tomcat.util.net.NioEndpoint.handshake

or

org.apache.tomcat.util.net.Nio2Endpoint.handshake

as appropriate.

With a recent JRE and latest Tomcat, I think this is addressed. If there is still a combination where the error message is missing / unhelpful feel free to re-open this issue and provide the configuration details and openssl client command to trigger the issue and we can take another look.