You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/09/27 08:20:36 UTC
[tomcat] branch main updated (2fb113f -> f19fe59)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 2fb113f Fix invalid Javadoc
new 73ea097 Better version matching for OpenSSL 3.x
new 7769bca OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
new 529acb8 Remove handling for old, unsupported OpenSSL versions
new f19fe59 Remove support for undocumented EECDHE
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++----
.../ciphers/OpenSSLCipherConfigurationParser.java | 5 --
.../TestOpenSSLCipherConfigurationParser.java | 71 ++++++++--------------
.../util/net/openssl/ciphers/TesterOpenSSL.java | 20 ++----
webapps/docs/changelog.xml | 4 ++
5 files changed, 47 insertions(+), 75 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/04: OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7769bca25ee85ff7552daccf21b55d8c6cf1f439
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:46 2021 +0100
OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
---
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++++++++++-----------
.../TestOpenSSLCipherConfigurationParser.java | 21 ++++++++++++++++++---
webapps/docs/changelog.xml | 4 ++++
3 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
index 37dceee..ea64076 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
@@ -2776,7 +2776,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_3,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
true,
128,
128,
@@ -4432,7 +4432,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4449,7 +4449,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4466,7 +4466,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4483,7 +4483,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4568,7 +4568,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4585,7 +4585,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4602,7 +4602,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4619,7 +4619,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4671,7 +4671,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4688,7 +4688,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index a03d97b..8fa66df 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -73,13 +73,23 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testHIGH() throws Exception {
- testSpecification("HIGH");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8");
+ } else {
+ testSpecification("HIGH");
+ }
}
@Test
public void testMEDIUM() throws Exception {
- testSpecification("MEDIUM");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("MEDIUM:AESCCM8");
+ } else {
+ testSpecification("MEDIUM");
+ }
}
@@ -555,7 +565,12 @@ public class TestOpenSSLCipherConfigurationParser {
// Tomcat 8 default as of 2014-08-04
// This gets an A- from https://www.ssllabs.com/ssltest with no FS for
// a number of the reference browsers
- testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ } else {
+ testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6d7afcb..d9622dd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -151,6 +151,10 @@
<bug>65577</bug>: Fix a <code>AccessControlException</code> reporting
when running an NIO2 connector with TLS enabled. (markt)
</fix>
+ <update>
+ Reclassify TLS ciphers that use AESCCM8 as medium security rather than
+ high security to align with recent changes in OpenSSL. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/04: Remove handling for old,
unsupported OpenSSL versions
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 529acb8237c3381ff02127496312fc852f84e4b7
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:18:22 2021 +0100
Remove handling for old, unsupported OpenSSL versions
---
.../TestOpenSSLCipherConfigurationParser.java | 42 +++++-----------------
.../util/net/openssl/ciphers/TesterOpenSSL.java | 16 ++-------
2 files changed, 12 insertions(+), 46 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 8fa66df..0400f1d 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -27,23 +27,13 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testDEFAULT() throws Exception {
- if (TesterOpenSSL.VERSION < 10100) {
- // Account for classes of ciphers removed from DEFAULT in 1.1.0
- testSpecification("DEFAULT:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES");
- } else {
- testSpecification("DEFAULT");
- }
+ testSpecification("DEFAULT");
}
@Test
public void testCOMPLEMENTOFDEFAULT() throws Exception {
- if (TesterOpenSSL.VERSION < 10100) {
- // Account for classes of ciphers removed from DEFAULT in 1.1.0
- testSpecification("COMPLEMENTOFDEFAULT:RC4:DSS:SEED:IDEA:CAMELLIA:AESCCM:aNULL:3DES");
- } else {
- testSpecification("COMPLEMENTOFDEFAULT");
- }
+ testSpecification("COMPLEMENTOFDEFAULT");
}
@@ -137,10 +127,7 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testkDHE() throws Exception {
- // This alias was introduced in 1.0.2
- if (TesterOpenSSL.VERSION >= 10002) {
- testSpecification("kDHE");
- }
+ testSpecification("kDHE");
}
@@ -152,10 +139,7 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testDHE() throws Exception {
- // This alias was introduced in 1.0.2
- if (TesterOpenSSL.VERSION >= 10002) {
- testSpecification("DHE");
- }
+ testSpecification("DHE");
}
@@ -300,27 +284,19 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testTLSv1() throws Exception {
- // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require
- // TLSv1 rather than being an alias for SSLv3
- if (TesterOpenSSL.VERSION >= 10100) {
- testSpecification("TLSv1");
- }
+ testSpecification("TLSv1");
}
@Test
- public void testSSLv2() throws Exception {
- testSpecification("SSLv2");
+ public void testSSLv3() throws Exception {
+ testSpecification("SSLv3");
}
@Test
- public void testSSLv3() throws Exception {
- // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require
- // TLSv1 rather than being an alias for SSLv3
- if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("SSLv3:TLSv1");
- }
+ public void testSSLv2() throws Exception {
+ testSpecification("SSLv2");
}
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index fe30d7f..946302a 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -253,19 +253,9 @@ public class TesterOpenSSL {
// Standard command to list the ciphers
args.add("ciphers");
args.add("-v");
- if (VERSION < 10100) {
- // Need to exclude the GOST ciphers
- if (specification == null) {
- specification = "DEFAULT:!aGOST";
- } else {
- specification = "!aGOST:" + specification;
- }
- }
- if (VERSION >= 10101) {
- // Need to exclude the TLSv1.3 ciphers
- args.add("-ciphersuites");
- args.add("");
- }
+ // Need to exclude the TLSv1.3 ciphers
+ args.add("-ciphersuites");
+ args.add("");
// Include the specification if provided
if (specification != null) {
args.add(specification);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/04: Remove support for undocumented EECDHE
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f19fe59995cc817b28f1c3d525b20a600890be95
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:19:54 2021 +0100
Remove support for undocumented EECDHE
---
.../net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 5 -----
.../net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 8 --------
2 files changed, 13 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 401c2b3..caea744 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -182,10 +182,6 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String ECDHE = "ECDHE";
/**
- * Cipher suites using authenticated ephemeral ECDH key agreement
- */
- private static final String EECDHE = "EECDHE";
- /**
* Anonymous Elliptic Curve Diffie Hellman cipher suites.
*/
private static final String AECDH = "AECDH";
@@ -470,7 +466,6 @@ public class OpenSSLCipherConfigurationParser {
addListAlias(ECDHE, ecdhe);
addListAlias(kEECDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)));
- aliases.put(EECDHE, aliases.get(kEECDH));
Set<Cipher> eecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH));
eecdh.removeAll(filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL)));
addListAlias(EECDH, eecdh);
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 0400f1d..dc8b007 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -20,7 +20,6 @@ import java.util.List;
import java.util.TreeSet;
import org.junit.Assert;
-import org.junit.Ignore;
import org.junit.Test;
public class TestOpenSSLCipherConfigurationParser {
@@ -204,13 +203,6 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise EECDHE")
- public void testEECDHE() throws Exception {
- testSpecification("EECDHE");
- }
-
-
- @Test
public void testAECDH() throws Exception {
testSpecification("AECDH");
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/04: Better version matching for OpenSSL 3.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 73ea0979f0d030362ca404b5a50ff906645d711f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:00 2021 +0100
Better version matching for OpenSSL 3.x
---
test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index 88d2b46..fe30d7f 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -49,10 +49,10 @@ public class TesterOpenSSL {
} catch (IOException e) {
versionString = "";
}
- if (versionString.startsWith("OpenSSL 3.1.0")) {
+ if (versionString.startsWith("OpenSSL 3.1.")) {
// Note: Gump currently tests 10.x with OpenSSL 3.1.x
VERSION = 30100;
- } else if (versionString.startsWith("OpenSSL 3.0.0")) {
+ } else if (versionString.startsWith("OpenSSL 3.0.")) {
VERSION = 30000;
} else if (versionString.startsWith("OpenSSL 1.1.1")) {
// LTS
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org