TLSv1.3 dk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472

[Andy Katzer]

I want to use Elytron subsystem for TLSv1.3.

I use open jdk 11.

i get following error in server.log:

2021-08-25 10:03:16,792 ERROR [stderr] (MSC service thread 1-5) javax.net.ssl|DEBUG|21|MSC service thread 1-5|2021-08-25 10:03:16.774 CEST|SSLCipher.java:438|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472

<tls>
                <key-stores>
                    <key-store name="wildflyKS">
                        <credential-reference clear-text="vier1000"/>
                        <implementation type="JKS"/>
                        <file path="${jboss.home.dir}{MtsBs.KS"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="wildflyKS" algorithm="SunX509" key-store="wildflyKS">
                        <credential-reference clear-text="vier1000"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="wildflySSC" protocols="TLSv1.3" key-manager="wildflyKS" cipher-suite-filter="AES128-SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256 ,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256" use-cipher-suites-order="true"/>                   
                </server-ssl-contexts>
            </tls>

 i use a certificat with SHA256.

[Farah Juma]

To enable TLSv1.3, the cipher-suite-names attribute needs to be specified in the server-ssl-context configuration, e.g.,

cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

More details can be found here:

https://wildfly-security.github.io/wildfly-elytron/blog/tls-13-with-wildfly/