You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/02 22:38:38 UTC
svn commit: r1733373 - in /tomcat/trunk:
java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
webapps/docs/changelog.xml
Author: markt
Date: Wed Mar 2 21:38:38 2016
New Revision: 1733373
URL: http://svn.apache.org/viewvc?rev=1733373&view=rev
Log:
kECDHE and ECDHE are now supported.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java?rev=1733373&r1=1733372&r2=1733373&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java Wed Mar 2 21:38:38 2016
@@ -426,8 +426,12 @@ public class OpenSSLCipherConfigurationP
addListAlias(kECDHe, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHe)));
addListAlias(kECDH, filterByKeyExchange(allCiphers, new HashSet<>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr))));
addListAlias(ECDH, filterByKeyExchange(allCiphers, new HashSet<>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr, KeyExchange.EECDH))));
- addListAlias(kECDHE, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHe)));
- aliases.put(ECDHE, aliases.get(kECDHE));
+ addListAlias(kECDHE, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)));
+
+ Set<Cipher> ecdhe = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH));
+ remove(ecdhe, aNULL);
+ addListAlias(ECDHE, ecdhe);
+
addListAlias(kEECDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)));
aliases.put(EECDHE, aliases.get(kEECDH));
Set<Cipher> eecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH));
@@ -526,7 +530,7 @@ public class OpenSSLCipherConfigurationP
ciphers.addAll(aliases.get(alias));
}
- static void remove(final LinkedHashSet<Cipher> ciphers, final String alias) {
+ static void remove(final Set<Cipher> ciphers, final String alias) {
ciphers.removeAll(aliases.get(alias));
}
@@ -550,6 +554,10 @@ public class OpenSSLCipherConfigurationP
return result;
}
+ /*
+ * See
+ * https://github.com/openssl/openssl/blob/7c96dbcdab959fef74c4caae63cdebaa354ab252/ssl/ssl_ciph.c#L1371
+ */
static LinkedHashSet<Cipher> defaultSort(final LinkedHashSet<Cipher> ciphers) {
final LinkedHashSet<Cipher> result = new LinkedHashSet<>(ciphers.size());
/* Now arrange all ciphers by preference: */
@@ -564,9 +572,6 @@ public class OpenSSLCipherConfigurationP
/* Temporarily enable everything else for sorting */
result.addAll(ciphers);
- /* Low priority for SSLv2 */
- moveToEnd(result, filterByProtocol(result, Collections.singleton(Protocol.SSLv2)));
-
/* Low priority for MD5 */
moveToEnd(result, filterByMessageDigest(result, Collections.singleton(MessageDigest.MD5)));
@@ -579,7 +584,7 @@ public class OpenSSLCipherConfigurationP
moveToEnd(result, filterByAuthentication(result, Collections.singleton(Authentication.ECDH)));
moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.RSA)));
moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.PSK)));
- moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.KRB5)));
+
/* RC4 is sort-of broken -- move the the end */
moveToEnd(result, filterByEncryption(result, Collections.singleton(Encryption.RC4)));
return strengthSort(result);
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java?rev=1733373&r1=1733372&r2=1733373&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java Wed Mar 2 21:38:38 2016
@@ -281,14 +281,12 @@ public class TestOpenSSLCipherConfigurat
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise kECDHE")
public void testkECDHE() throws Exception {
testSpecification("kECDHE");
}
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise ECDHE")
public void testECDHE() throws Exception {
testSpecification("ECDHE");
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1733373&r1=1733372&r2=1733373&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 2 21:38:38 2016
@@ -164,6 +164,10 @@
shutdown if the Poller experiences an error during the shutdown process.
(markt)
</fix>
+ <fix>
+ Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with
+ the current OpenSSL implementation. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org