Enable TLS 1.3 default

[ekohl]

TLS version 1.3 is the latest TLS version. Now that we've dropped EL7 support this may be supported. Currently a draft since I don't know if it really does work. If it does, I'll also create a Redmine issue for this.

Came from https://bugzilla.redhat.com/show_bug.cgi?id=2117842

[ekohl]

Looks like it doesn't work, but starting the service works. Perhaps it doesn't actually start up and quickly dies.

[matt8754]

I updated server.xml with:

sslEnabledProtocols="TLSv1.2+TLSv1.3"

services are restarted and hammer ping returns all okay. But openssl is not happy:

openssl s_client -tls1_3 -connect localhost:23443
CONNECTED(00000003)
139626419914560:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

looks like TLS1.3 is still not be enabled on Satellite 6.11, :-)

[ekohl]

https://ssl-config.mozilla.org suggests you need Tomcat 8 for this and on EL8 the pki-core module has 7.7.1.

[ekohl]

Rebased now that we're on Java 17. Perhaps that works.

[ehelms]

It threw some error within GA and thus did not actually run.

[ekohl]

Yes, GH is just broken on/off this week: https://www.githubstatus.com/

[ekohl]

It fails to start up, but our CI doesn't really share any logs of what failed so that's tricky to debug. It does look like it's not as trivial as it would seem.

[ehelms]

Latest now this should be testing against is pki-servlet-engine-9.0.30-3.module_el8.5.0+854+e1c92b81.noarch.rpm which would imply the error is something else now.