9

A question about Spring Boot MVC with Tomcat and TLSv1.3

I used to have a Spring Boot MVC, Tomcat based web app, with very simple business logic, over ssl HTTPS.

Per security team review, I had to bump the TLS version from TLSv1.2 to TLSv1.3.

Thought is was very simple and could easily complete this task, I went to change my property:

server.ssl.enabled-protocols=TLSv1.2

to

server.ssl.enabled-protocols=TLSv1.3

However, since then, I am getting this on each application start up:

org.apache.tomcat.util.net.SSLUtilBase : The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication

What does it mean please?

Is it "dangerous"?

How to fix it please?

Thank you

PatPanda
  • 3,644
  • 9
  • 58
  • 154

1 Answers1

11

Post-Handshake Client Authentication is a TLSv1.3 extension defined in RFC8446. But OpenJDK doesn't implement it and will not implement it. The corresponding issue is marked as "Won't fix".

The warning is emitted by Tomcat in SSLUtilBase.java

if (enabledProtocols.contains(Constants.SSL_PROTO_TLSv1_3) &&
        sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL &&
        !isTls13RenegAuthAvailable() && warnTls13) {
    log.warn(sm.getString("sslUtilBase.tls13.auth"));
}

The isTls13RenegAuthAvailable() method is defined in JSSEUtil.java

@Override
protected boolean isTls13RenegAuthAvailable() {
    // TLS 1.3 does not support authentication after the initial handshake
    return false;
}

To remove this warning you can either set CertificateVerification in Tomcat's SSLHostConfig to NONE or to REQUIRED. You can do it through the Spring Boot property server.ssl.client-auth which take the values NONE, WANT and NEED.

If you don't use client certificates, set it to NONE. If you use client certificates, check that each client can authenticate itself correctly with the NEED value. If you leave it as it, the only risk is that client that use post-handshake authentication will not be able to authenticate.

If you really need post-handshake client authentication, you will have to use another TLS implementation than JSSE. You can either use a reverse proxy such as Apache, NGINX, Traefik or use Tomcat’s native bindings for APR/OpenSSL. There is an interesting article you can read about this: Tomcat Native / OpenSSL in Spring Boot 2.0

== Update 5th April 2023 ==

After a message on the OpenJDK security-dev mailing list, the OpenJDK issue has been reopened and the "Won't fix" label has been removed. But the TLS 1.3 Post-handshake authentication is still not implemented in the OpenJDK.

Ortomala Lokni
  • 56,620
  • 24
  • 188
  • 240
  • 1
    Very clear answer, upvoted. Its just on my side, maybe I don't understand it fully. You are correct, if I set the server with server.ssl.client-auth=NEED + server.ssl.enabled-protocols=TLSv1.3, the error disappears! (upvote). However, the requirement I got from my teams is to leave one way TLS server.ssl.client-auth=WANT + server.ssl.enabled-protocols=TLSv1.3, in which the message still stays. But I am reading thought the documentations linked – PatPanda Feb 01 '21 at 21:37
  • Thanks. Using server.ssl.client-auth=NEED + server.ssl.enabled-protocols=TLSv1.3, is not possible with JSSE. This is the reason of the warning. If you want to fulfill your requirements you will have to choose another implementation. See my updated answer. – Ortomala Lokni Feb 01 '21 at 22:50