Enabling Transport Layer Security (TLS) 1.3

Ensure OpenSSL is installed locally.
Acquire Tomcat Native.
- (Windows) The library is included with the release package, but you can also download the latest 2.X version of tcnative from Apache Tomcat - Tomcat Native Downloads
- (Linux) Download tcnative from Apache Tomcat - Tomcat Native Downloads or through your local package manager using the command sudo apt install libtcnative-2
Configure environment to use tcnative.
- (Windows) If tcnative has not been distributed through the plugin, move the tcnative.dll file to a folder accessible to Tomcat, such as within java.library.path.
- (Linux) Add the link to tcnative to your LD_LIBRARY_PATH:
  CODE
```
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/apr/lib
```

Set application properties to use tcnative with TLS1.3.

To use only TLS1.3:

CODE

-Dhttps.protocols=TLSv1.3
-Dhttp.connector.SSLProtocol=TLSv1.3
-Dpush.connector.SSLProtocol=TLSv1.3
-Dajp.connector.SSLProtocol=TLSv1.3

To use TLSv1.2 and 1.3 simultaneously:

CODE

-Dhttps.protocols=TLSv1.2,TLSv1.3
-Dhttp.connector.SSLProtocol=+TLSv1.2,+TLSv1.3
-Dpush.connector.SSLProtocol=+TLSv1.2,+TLSv1.3
-Dajp.connector.SSLProtocol=+TLSv1.2,+TLSv1.3

To validate that TLS1.3 is enabled, look for log entries similar to the following on startup:

CODE

Loaded Apache Tomcat Native library [2.0.8] using APR version [1.7.4].
APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
OpenSSL successfully initialized [OpenSSL 3.0.14 4 Jun 2024]
Starting ProtocolHandler ["https-openssl-nio-7080"]

If you do not include these properties, the system will fallback to JSSE, which has non-compliant client certificate authentication.

You must use the plus sign (+) in the SSLProtocol properties to ensure the protocol is included. (You can also use the minus sign (-) to explicitly remove a protocol from inclusion. Failing to use the + or - syntax will default to inclusion, and cause warnings in the logs.