JWS hits start up error when setting ciphers for TLSv1.3 on an OpenSSLImplementation

Solution Unverified - Updated -

Issue

  • We've installed JWS Tomcat with its native libraries and have configured an HTTPS connector with TLSv1.3 and the OpenSSLImplementation:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               maxThreads="150" SSLEnabled="true">
    <SSLHostConfig protocols="TLSv1.3"
                       ciphers="TLS_AES_256_GCM_SHA384">
            <Certificate certificateKeystoreFile="conf/application.keystore"
                         certificateKeystoreType="JKS"
                         certificateKeystorePassword="password"/>
        </SSLHostConfig>
  • If we set its cipher, the connector has a start up error. This doesn't occur if using TLSv1.2 with OpenSSL or TLSv1.3 with the JSSEImplementation:
org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context
        java.lang.Exception: Unable to configure permitted SSL ciphers (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
                at org.apache.tomcat.jni.SSLContext.setCipherSuite(Native Method)
                at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:245)
                at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
                at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:232)
                at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1208)
                at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1221)
                at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
                at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardService.initInternal(StandardService.java:561)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1049)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.base/java.lang.reflect.Method.invoke(Method.java:566)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)

Environment

  • JBoss Web Server (JWS) 5.x
    • Tomcat 9.0.x
    • Tomcat Native
    • OpenSSL

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content