You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/09/27 08:22:27 UTC
[tomcat] branch 8.5.x updated (efd7c27 -> 94fff28)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from efd7c27 Remove incorrect comment
new 6bd7672 Better version matching for OpenSSL 3.x
new 221e60c OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
new 4835a7c Remove handling for old, unsupported OpenSSL versions
new 94fff28 Remove support for undocumented EECDHE
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++----
.../ciphers/OpenSSLCipherConfigurationParser.java | 5 --
.../TestOpenSSLCipherConfigurationParser.java | 71 ++++++++--------------
.../util/net/openssl/ciphers/TesterOpenSSL.java | 20 ++----
webapps/docs/changelog.xml | 4 ++
5 files changed, 47 insertions(+), 75 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/04: Remove support for undocumented EECDHE
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 94fff28c715202c05d12b7aa1d4d6186f8f9d0fb
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:19:54 2021 +0100
Remove support for undocumented EECDHE
---
.../net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 5 -----
.../net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 8 --------
2 files changed, 13 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 401c2b3..caea744 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -182,10 +182,6 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String ECDHE = "ECDHE";
/**
- * Cipher suites using authenticated ephemeral ECDH key agreement
- */
- private static final String EECDHE = "EECDHE";
- /**
* Anonymous Elliptic Curve Diffie Hellman cipher suites.
*/
private static final String AECDH = "AECDH";
@@ -470,7 +466,6 @@ public class OpenSSLCipherConfigurationParser {
addListAlias(ECDHE, ecdhe);
addListAlias(kEECDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)));
- aliases.put(EECDHE, aliases.get(kEECDH));
Set<Cipher> eecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH));
eecdh.removeAll(filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL)));
addListAlias(EECDH, eecdh);
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 0400f1d..dc8b007 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -20,7 +20,6 @@ import java.util.List;
import java.util.TreeSet;
import org.junit.Assert;
-import org.junit.Ignore;
import org.junit.Test;
public class TestOpenSSLCipherConfigurationParser {
@@ -204,13 +203,6 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise EECDHE")
- public void testEECDHE() throws Exception {
- testSpecification("EECDHE");
- }
-
-
- @Test
public void testAECDH() throws Exception {
testSpecification("AECDH");
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/04: OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 221e60c7a64a52d4b00c9030842cbe5d7ea10e16
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:46 2021 +0100
OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
---
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++++++++++-----------
.../TestOpenSSLCipherConfigurationParser.java | 21 ++++++++++++++++++---
webapps/docs/changelog.xml | 4 ++++
3 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
index 37dceee..ea64076 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
@@ -2776,7 +2776,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_3,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
true,
128,
128,
@@ -4432,7 +4432,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4449,7 +4449,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4466,7 +4466,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4483,7 +4483,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4568,7 +4568,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4585,7 +4585,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4602,7 +4602,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4619,7 +4619,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4671,7 +4671,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4688,7 +4688,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index a03d97b..8fa66df 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -73,13 +73,23 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testHIGH() throws Exception {
- testSpecification("HIGH");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8");
+ } else {
+ testSpecification("HIGH");
+ }
}
@Test
public void testMEDIUM() throws Exception {
- testSpecification("MEDIUM");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("MEDIUM:AESCCM8");
+ } else {
+ testSpecification("MEDIUM");
+ }
}
@@ -555,7 +565,12 @@ public class TestOpenSSLCipherConfigurationParser {
// Tomcat 8 default as of 2014-08-04
// This gets an A- from https://www.ssllabs.com/ssltest with no FS for
// a number of the reference browsers
- testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ } else {
+ testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2b005ad..6f0c23c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -117,6 +117,10 @@
<bug>65577</bug>: Fix a <code>AccessControlException</code> reporting
when running an NIO2 connector with TLS enabled. (markt)
</fix>
+ <update>
+ Reclassify TLS ciphers that use AESCCM8 as medium security rather than
+ high security to align with recent changes in OpenSSL. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/04: Better version matching for OpenSSL 3.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 6bd7672cb3446b8e5246cc92692485682c21e73d
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:00 2021 +0100
Better version matching for OpenSSL 3.x
---
test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index 88d2b46..fe30d7f 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -49,10 +49,10 @@ public class TesterOpenSSL {
} catch (IOException e) {
versionString = "";
}
- if (versionString.startsWith("OpenSSL 3.1.0")) {
+ if (versionString.startsWith("OpenSSL 3.1.")) {
// Note: Gump currently tests 10.x with OpenSSL 3.1.x
VERSION = 30100;
- } else if (versionString.startsWith("OpenSSL 3.0.0")) {
+ } else if (versionString.startsWith("OpenSSL 3.0.")) {
VERSION = 30000;
} else if (versionString.startsWith("OpenSSL 1.1.1")) {
// LTS
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/04: Remove handling for old,
unsupported OpenSSL versions
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4835a7c0f22e21cff40c8a4c49fc2129952fc346
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:18:22 2021 +0100
Remove handling for old, unsupported OpenSSL versions
---
.../TestOpenSSLCipherConfigurationParser.java | 42 +++++-----------------
.../util/net/openssl/ciphers/TesterOpenSSL.java | 16 ++-------
2 files changed, 12 insertions(+), 46 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 8fa66df..0400f1d 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -27,23 +27,13 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testDEFAULT() throws Exception {
- if (TesterOpenSSL.VERSION < 10100) {
- // Account for classes of ciphers removed from DEFAULT in 1.1.0
- testSpecification("DEFAULT:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES");
- } else {
- testSpecification("DEFAULT");
- }
+ testSpecification("DEFAULT");
}
@Test
public void testCOMPLEMENTOFDEFAULT() throws Exception {
- if (TesterOpenSSL.VERSION < 10100) {
- // Account for classes of ciphers removed from DEFAULT in 1.1.0
- testSpecification("COMPLEMENTOFDEFAULT:RC4:DSS:SEED:IDEA:CAMELLIA:AESCCM:aNULL:3DES");
- } else {
- testSpecification("COMPLEMENTOFDEFAULT");
- }
+ testSpecification("COMPLEMENTOFDEFAULT");
}
@@ -137,10 +127,7 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testkDHE() throws Exception {
- // This alias was introduced in 1.0.2
- if (TesterOpenSSL.VERSION >= 10002) {
- testSpecification("kDHE");
- }
+ testSpecification("kDHE");
}
@@ -152,10 +139,7 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testDHE() throws Exception {
- // This alias was introduced in 1.0.2
- if (TesterOpenSSL.VERSION >= 10002) {
- testSpecification("DHE");
- }
+ testSpecification("DHE");
}
@@ -300,27 +284,19 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testTLSv1() throws Exception {
- // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require
- // TLSv1 rather than being an alias for SSLv3
- if (TesterOpenSSL.VERSION >= 10100) {
- testSpecification("TLSv1");
- }
+ testSpecification("TLSv1");
}
@Test
- public void testSSLv2() throws Exception {
- testSpecification("SSLv2");
+ public void testSSLv3() throws Exception {
+ testSpecification("SSLv3");
}
@Test
- public void testSSLv3() throws Exception {
- // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require
- // TLSv1 rather than being an alias for SSLv3
- if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("SSLv3:TLSv1");
- }
+ public void testSSLv2() throws Exception {
+ testSpecification("SSLv2");
}
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index fe30d7f..946302a 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -253,19 +253,9 @@ public class TesterOpenSSL {
// Standard command to list the ciphers
args.add("ciphers");
args.add("-v");
- if (VERSION < 10100) {
- // Need to exclude the GOST ciphers
- if (specification == null) {
- specification = "DEFAULT:!aGOST";
- } else {
- specification = "!aGOST:" + specification;
- }
- }
- if (VERSION >= 10101) {
- // Need to exclude the TLSv1.3 ciphers
- args.add("-ciphersuites");
- args.add("");
- }
+ // Need to exclude the TLSv1.3 ciphers
+ args.add("-ciphersuites");
+ args.add("");
// Include the specification if provided
if (specification != null) {
args.add(specification);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org