Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable TLS 1.3 default #223

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Conversation

ekohl
Copy link
Member

@ekohl ekohl commented Aug 16, 2022

TLS version 1.3 is the latest TLS version. Now that we've dropped EL7 support this may be supported. Currently a draft since I don't know if it really does work. If it does, I'll also create a Redmine issue for this.

Came from https://bugzilla.redhat.com/show_bug.cgi?id=2117842

@ekohl
Copy link
Member Author

ekohl commented Aug 16, 2022

Looks like it doesn't work, but starting the service works. Perhaps it doesn't actually start up and quickly dies.

@matt8754
Copy link

matt8754 commented Aug 16, 2022

I updated server.xml with:

sslEnabledProtocols="TLSv1.2+TLSv1.3"

services are restarted and hammer ping returns all okay. But openssl is not happy:

openssl s_client -tls1_3 -connect localhost:23443
CONNECTED(00000003)
139626419914560:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 217 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

looks like TLS1.3 is still not be enabled on Satellite 6.11, :-)

@ekohl
Copy link
Member Author

ekohl commented Oct 17, 2022

https://ssl-config.mozilla.org suggests you need Tomcat 8 for this and on EL8 the pki-core module has 7.7.1.

TLS version 1.3 is the latest TLS version. Now that we've dropped EL7
support this is supported.
@ekohl
Copy link
Member Author

ekohl commented May 10, 2023

Rebased now that we're on Java 17. Perhaps that works.

@ehelms
Copy link
Member

ehelms commented May 10, 2023

It threw some error within GA and thus did not actually run.

@ehelms ehelms closed this May 10, 2023
@ehelms ehelms reopened this May 10, 2023
@ekohl
Copy link
Member Author

ekohl commented May 10, 2023

Yes, GH is just broken on/off this week: https://www.githubstatus.com/

@ekohl ekohl closed this May 11, 2023
@ekohl ekohl reopened this May 11, 2023
@ekohl
Copy link
Member Author

ekohl commented May 11, 2023

It fails to start up, but our CI doesn't really share any logs of what failed so that's tricky to debug. It does look like it's not as trivial as it would seem.

@ehelms ehelms closed this Jul 20, 2023
@ehelms ehelms reopened this Jul 20, 2023
@ehelms
Copy link
Member

ehelms commented Aug 7, 2023

Latest now this should be testing against is pki-servlet-engine-9.0.30-3.module_el8.5.0+854+e1c92b81.noarch.rpm which would imply the error is something else now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants