You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/11/01 20:15:16 UTC
(tomcat) branch 8.5.x updated (08424898ac -> 790b5eecaa)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
from 08424898ac Line length
new 7e88304df6 OpenSSL master branch is now 3.3.x
new cd164eabf2 Add test based on BZ 67628
new 790b5eecaa Fix BZ 67628 - Improve description of ciphers
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/net/LocalStrings.properties | 2 +-
.../apache/tomcat/util/net/LocalStrings_ja.properties | 1 -
.../apache/tomcat/util/net/LocalStrings_ko.properties | 1 -
.../ciphers/TestOpenSSLCipherConfigurationParser.java | 15 +++++++++++++++
.../tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 6 ++++--
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 16 ++++++++++++----
7 files changed, 36 insertions(+), 9 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
(tomcat) 01/03: OpenSSL master branch is now 3.3.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7e88304df66e19dceb10f750d1616479bffd8bdf
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 1 19:34:31 2023 +0000
OpenSSL master branch is now 3.3.x
---
test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index 0df4cb26bb..ab9433b84d 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -49,8 +49,10 @@ public class TesterOpenSSL {
} catch (IOException e) {
versionString = "";
}
- if (versionString.startsWith("OpenSSL 3.2.")) {
- // Note: Gump currently tests 11.x with OpenSSL 3.2.x
+ if (versionString.startsWith("OpenSSL 3.3.")) {
+ // Note: Gump currently tests 11.x with OpenSSL 3.3.x
+ VERSION = 30300;
+ } else if (versionString.startsWith("OpenSSL 3.2.")) {
VERSION = 30200;
} else if (versionString.startsWith("OpenSSL 3.1.")) {
VERSION = 30100;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
(tomcat) 03/03: Fix BZ 67628 - Improve description of ciphers
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 790b5eecaa18e4d636de69c8045e44acaff262ea
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 1 20:13:31 2023 +0000
Fix BZ 67628 - Improve description of ciphers
Also improve associated log message
---
java/org/apache/tomcat/util/net/LocalStrings.properties | 2 +-
.../apache/tomcat/util/net/LocalStrings_ja.properties | 1 -
.../apache/tomcat/util/net/LocalStrings_ko.properties | 1 -
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 16 ++++++++++++----
5 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties b/java/org/apache/tomcat/util/net/LocalStrings.properties
index d8e0d6ea29..a0b212fc22 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -182,7 +182,7 @@ sslUtilBase.noCrlSupport=The truststoreProvider [{0}] does not support the certi
sslUtilBase.noKeys=No aliases for private keys found in key store
sslUtilBase.noVerificationDepth=The truststoreProvider [{0}] does not support the certificateVerificationDepth configuration option
sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL engine : [{1}]
-sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL engine and have been skipped: [{1}]
+sslUtilBase.skipped=Tomcat interprets the [{0}] attribute in a manner consistent with the latest OpenSSL development branch. Some of the specified [{0}] are not supported by the configured SSL engine for this connector (which may use JSSE or an older OpenSSL version) and have been skipped: [{1}]
sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be insecure.
sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication
sslUtilBase.trustedCertNotChecked=The validity dates of the trusted certificate with alias [{0}] were not checked as the certificate was of an unknown type
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
index e0c9ece8a4..e2e86be619 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
@@ -178,7 +178,6 @@ sslUtilBase.noCrlSupport=トラストストアプロバイダー [{0}] は設定
sslUtilBase.noKeys=キーストアで見つかった秘密キーのエイリアスがありません。
sslUtilBase.noVerificationDepth=トラストストアプロバイダー [{0}] は設定項目 certificateVerificationDepth に未対応です。
sslUtilBase.noneSupported=指定された [{0}] のどれもSSLエンジンでサポートされていません: [{1}]
-sslUtilBase.skipped=指定された [{0}] の一部はSSLエンジンでサポートされておらず、スキップされています: [{1}]
sslUtilBase.ssl3=SSLv3 が明示的に有効化化されています。このプロトコルは安全ではありません。
sslUtilBase.tls13.auth=JSSE TLS 1.3実装は、初期ハンドシェイク後の認証をサポートしていないため、オプションのクライアント認証と互換性がありません。
sslUtilBase.trustedCertNotChecked=エイリアス [{0}] を持つ信頼できる証明書の有効期限は、証明書が不明な型であるためチェックされませんでした
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
index efa977a34d..146f831044 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
@@ -173,7 +173,6 @@ sslUtilBase.noCrlSupport=truststoreProvider [{0}]은(는) certificateRevocationF
sslUtilBase.noKeys=개인 키들에 대한 별칭들이 키 저장소에 없습니다.
sslUtilBase.noVerificationDepth=truststoreProvider [{0}]은(는) certificateVerificationDepth 설정 옵션을 지원하지 않습니다.
sslUtilBase.noneSupported=지정된 [{0}]의 어느 것도 SSL 엔진에 의해 지원되지 않습니다: [{1}]
-sslUtilBase.skipped=지정된 [{0}]의 일부가 SSL 엔진에 의해 지원되지 않아 건너뜁니다: [{1}]
sslUtilBase.ssl3=SSLv3이 명시적으로 사용 가능 상태로 설정되었습니다. 이 프로토콜은 안전하지 않은 것으로 알려져 있습니다.
sslUtilBase.tls13.auth=JSSE TLS 1.3 구현이 초기 handshake 이후의 인증을 지원하지 않음에 따라, 선택사항인 클라이언트 인증과 호환되지 않습니다.
sslUtilBase.trustedCertNotChecked=인증서가 알 수 없는 타입이라서, 별칭이 [{0}]인 신뢰되는 인증서의 유효일자들이 점검되지 않았습니다.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c7e9a0e77a..04453572ee 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -145,6 +145,10 @@
automatically call
<code>setCertificateKeystoreType(ks.getType())</code>. (markt)
</add>
+ <fix>
+ <bug>67628</bug>: Clarify how the <code>ciphers</code> attribute of the
+ <code>SSLHostConfig</code> is used. (markt)
+ </fix>
<fix>
<bug>67666</bug>: Ensure TLS connectors using PEM files either work with
the <code>TLSCertificateReloadListener</code> or, in the rare case that
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index bc76a13f8c..8372bc2648 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1328,11 +1328,19 @@
documentation for the list of ciphers supported and the syntax).
Alternatively, a comma separated list of ciphers using the standard
OpenSSL cipher names or the standard JSSE cipher names may be used.</p>
- <p>When converting from OpenSSL syntax to JSSE ciphers for JSSE based
- connectors, the behaviour of the OpenSSL syntax parsing is kept aligned
- with the behaviour of the OpenSSL 1.1.0 development branch.</p>
+ <p>Different versions of OpenSSL may interpret the same cipher string
+ differently. For example, the <code>CCM8</code> ciphers were moved from
+ <code>HIGH</code> to <code>MEDIUM</code> in OpenSSL 3.2. Regardless of
+ the OpenSSL or JSSE version used, Tomcat converts the provided cipher
+ value to a list of ciphers in a manner consistent with the latest OpenSSL
+ development branch. This list of ciphers is then passed to the SSL
+ implementation.</p>
<p>Only the ciphers that are supported by the SSL implementation will be
- used.</p>
+ used. Any ciphers in the list derived from a non-default cipher string
+ that are not supported by the SSL implementation will be logged in a
+ <code>WARNING</code> message when the Connector starts. The warning can be
+ avoided by providing an explicit list of ciphers that are supported by the
+ configured SSL implementation.</p>
<p>If not specified, a default (using the OpenSSL notation) of
<code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be
used.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
(tomcat) 02/03: Add test based on BZ 67628
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit cd164eabf21c8f6021291c97ee3d42701e1bafe9
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 1 19:34:45 2023 +0000
Add test based on BZ 67628
---
.../ciphers/TestOpenSSLCipherConfigurationParser.java | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 5f301b5cae..1c2b94644e 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -556,6 +556,21 @@ public class TestOpenSSLCipherConfigurationParser {
testSpecification("EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS");
}
+
+ /*
+ * Cipher string extracted from https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
+ */
+ @Test
+ public void testSpecification04() throws Exception {
+ if (TesterOpenSSL.VERSION < 30200) {
+ // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:!AESCCM8");
+ } else {
+ testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:");
+ }
+ }
+
+
private void testSpecification(String specification) throws Exception {
// Filter out cipher suites that OpenSSL does not implement
String openSSLCipherList = TesterOpenSSL.getOpenSSLCiphersAsExpression(specification);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org