Upgrading from java8 to java11 to enable TLSv1.3 openssl s_client -tls1_3 -connect localhost:8443 failed miserably with no traces in the usual logs. Turns out that the problem is javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:163) at java.base/sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62) at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:218) at java.base/sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:103) at org.apache.tomcat.util.net.SecureNioChannel.processSNI(SecureNioChannel.java:360) with the statement sslEngine.beginHandshake(); Suggestions: 1) catch this exception around SecureNioChannel:360 print-out the protocol(s) and cipher(s) currently enabled and then re-throw or wrap the exception with an enclosing exception with this info 2) In NioEndPoint$SocketProcessor.doRun():1674 do not only log if on debug granulary, but in this case with "warn" as no ssl-handshake will ever work 3) in https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html a) mention TLSv1.3 b) say that it might have different ciphers than TLSv1.2 without overlap (even https://www.ssllabs.com/ssltest/analyze.html?d=www.ssllabs.com only has 3)
I've spent a bit of time looking into this today. It appears that the TLS error message have been improved and that a clearer exception is thrown from a different point in the process. I have also added a dedicated logger for TLS handshake failures. If you only want debug logging for handshake failures then you can enable debug logging for org.apache.tomcat.util.net.NioEndpoint.handshake or org.apache.tomcat.util.net.Nio2Endpoint.handshake as appropriate. With a recent JRE and latest Tomcat, I think this is addressed. If there is still a combination where the error message is missing / unhelpful feel free to re-open this issue and provide the configuration details and openssl client command to trigger the issue and we can take another look.