Since using FME Flow version 2024.2.3, running on Windows Server 2022. we face the following issues.
Background
We found that in FME Flow 2024.2.3 the network security protocol TLS1.3 is not configured by default. We expect it to work, see e.g. FME Community TLSv1.3 Support).
Also, for TLSv1.3, the minimum requirements for the versions of OpenSSL and Java used are:
- Tomcat 9.0.13 and later versions have built-in TLS 1.3 support
- For TLS 1.3 support, you need JDK 1.8.0_170 or later.
As FME Support Third Party Component Versions reports, FME Flow 2024.2.3 uses Tomcat 9.0.91 and Java JDK 17.0.12+7.
Actions
First step: We enabled TLSv1.3 on our Server, by including the following keys in the Windows Registry:
| Windows Registry Editor Version 5.00 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server |
Second step: In the Tomcat server.xml of FME Flow, on the port Connector for protocol="org.apache.coyote.http11.Http11NioProtocol" we made the following adjustments:
- sslEnabledProtocols: "TLSv1.2,TLSv1.3"
- Ciphers: We added the Cipher Suites
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- TLS_CHACHA20_POLY1305_SHA256,
- TLS_AES_128_CCM_SHA256,
- TLS_AES_128_CCM_8_SHA256
Findings
Now we find:
When opening the FME Flow main page, FireFox shows a secure connection, which seems nice:
‘Encrypted connection (TLS_AES_128_GCM_SHA256, 128-bit keys, TLS 1.3)’
However, when using curl to request a healthcheck report for FME Flow, curl reports:
‘Encrypted connection (TLS_AES_128_GCM_SHA256, 128-bit keys, TLS 1.3)’
Verbose:
* Uses proxy env variable https_proxy == 'http://localhost:3128/'
* Host localhost:3128 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:3128...
* Trying 127.0.0.1:3128...
Connected to localhost (127.0.0.1) port 3128
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to our_server_dns:443
> CONNECT our_server_dns:443 HTTP/1.1
> Host: our_server_dns:443
> User-Agent: curl/8.9.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Server: BaseHTTP/0.6 Python/3.13.2
< Date: Wed, 02 Jul 2025 11:52:52 GMT
< Proxy-Agent: BaseHTTP/0.6 Python/3.13.2
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* schannel: disabled automatic use of client certificate
* schannel: AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH (0x80090331) - De client en server kunnen niet communiceren omdat ze geen gemeenschappelijk algoritme bezitten.
* closing connection #0
curl: (35) schannel: AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH (0x80090331) - De client en server kunnen niet communiceren omdat ze geen gemeenschappelijk algoritme bezitten.
And an FME Flow automation trying to send a file to an SFTP site with an SFTP Directory upload element, generates the following message in the log:
2025-07-02T11:14:56+02:00 | 801028 : Failed connection or action due to error: Algorithm negotiation fail
Also in the Catalina log there is the following warning:
02-Jul-2025 11:11:31.816 WARNING Catalina-utility-4 org.apache.catalina.authenticator.SSLAuthenticator.startInternal The context [] in virtual host localhost is configured to use CLIENT-CERT authentication and [Connector"https-jsse-nio-443"] is configured to support TLS 1.3 using JSSE. Use of CLIENT-CERT authentication is not compatible with the use of TLS 1.3 and JSSE.
Now my idea is that the Tomcat adapter used, is not the right one because that is a JSSE setup and it uses a different kind of authentication (using client/server certificates) than the TLSv1.3 (using post-handshake authentication) should employ.
According to the article Stackoverflow issue on Java Springboot MVC, to enable Tomcat TLSv1.3, we should use the Tomcat Http11AprProtocol (in stead of the Http11NioProtocol) adapter. My guess is that we will have to build separate Tomcat connectors for TLSv1.2 and TLSv1.3 in the server.xml, if we want both versions to work.
Questions:
My questions are:
- Is my idea in the right direction?
- Does anyone have experience on what exactly the TLSv1.3 adapter should look like?
- Is it really necessary to set up a TLSv1.3 adapter? In fact, FME Flow is just a client in this case and I don’t expect the Tomcat website to interfere with the SFTP upload request.
- But if FME Flow is a client in this case, why doesn't the SFTP External Action support the upload to a TLSv1.3 site?
- Or maybe we should add the client registry keys also have to be created (we only created the server registry keys for enabling TLSv1.3)?
I Hope I’ve been as clear as possible.
