You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/09/27 08:21:54 UTC
[tomcat] branch 9.0.x updated (d01cf5a -> 5b942a4)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from d01cf5a Remove incorrect comment
new 2a2f3a2 Better version matching for OpenSSL 3.x
new 4e20c36 OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
new 918f949 Remove handling for old, unsupported OpenSSL versions
new 5b942a4 Remove support for undocumented EECDHE
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++----
.../ciphers/OpenSSLCipherConfigurationParser.java | 5 --
.../TestOpenSSLCipherConfigurationParser.java | 71 ++++++++--------------
.../util/net/openssl/ciphers/TesterOpenSSL.java | 20 ++----
webapps/docs/changelog.xml | 4 ++
5 files changed, 47 insertions(+), 75 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 04/04: Remove support for undocumented EECDHE
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5b942a4c30f7e97c64e1c6c88299adaaf9a11da6
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:19:54 2021 +0100
Remove support for undocumented EECDHE
---
.../net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 5 -----
.../net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 8 --------
2 files changed, 13 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 401c2b3..caea744 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -182,10 +182,6 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String ECDHE = "ECDHE";
/**
- * Cipher suites using authenticated ephemeral ECDH key agreement
- */
- private static final String EECDHE = "EECDHE";
- /**
* Anonymous Elliptic Curve Diffie Hellman cipher suites.
*/
private static final String AECDH = "AECDH";
@@ -470,7 +466,6 @@ public class OpenSSLCipherConfigurationParser {
addListAlias(ECDHE, ecdhe);
addListAlias(kEECDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)));
- aliases.put(EECDHE, aliases.get(kEECDH));
Set<Cipher> eecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH));
eecdh.removeAll(filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL)));
addListAlias(EECDH, eecdh);
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 0400f1d..dc8b007 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -20,7 +20,6 @@ import java.util.List;
import java.util.TreeSet;
import org.junit.Assert;
-import org.junit.Ignore;
import org.junit.Test;
public class TestOpenSSLCipherConfigurationParser {
@@ -204,13 +203,6 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise EECDHE")
- public void testEECDHE() throws Exception {
- testSpecification("EECDHE");
- }
-
-
- @Test
public void testAECDH() throws Exception {
testSpecification("AECDH");
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/04: OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4e20c36e399a61ad173f850fcb7acc863ea4b076
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:46 2021 +0100
OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
---
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++++++++++-----------
.../TestOpenSSLCipherConfigurationParser.java | 21 ++++++++++++++++++---
webapps/docs/changelog.xml | 4 ++++
3 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
index 37dceee..ea64076 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
@@ -2776,7 +2776,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_3,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
true,
128,
128,
@@ -4432,7 +4432,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4449,7 +4449,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4466,7 +4466,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4483,7 +4483,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4568,7 +4568,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4585,7 +4585,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4602,7 +4602,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4619,7 +4619,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4671,7 +4671,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4688,7 +4688,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index a03d97b..8fa66df 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -73,13 +73,23 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testHIGH() throws Exception {
- testSpecification("HIGH");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8");
+ } else {
+ testSpecification("HIGH");
+ }
}
@Test
public void testMEDIUM() throws Exception {
- testSpecification("MEDIUM");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("MEDIUM:AESCCM8");
+ } else {
+ testSpecification("MEDIUM");
+ }
}
@@ -555,7 +565,12 @@ public class TestOpenSSLCipherConfigurationParser {
// Tomcat 8 default as of 2014-08-04
// This gets an A- from https://www.ssllabs.com/ssltest with no FS for
// a number of the reference browsers
- testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ } else {
+ testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 90a8932..dfea198 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -139,6 +139,10 @@
<bug>65577</bug>: Fix a <code>AccessControlException</code> reporting
when running an NIO2 connector with TLS enabled. (markt)
</fix>
+ <update>
+ Reclassify TLS ciphers that use AESCCM8 as medium security rather than
+ high security to align with recent changes in OpenSSL. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 03/04: Remove handling for old,
unsupported OpenSSL versions
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 918f949cad9ac54a878307760de048c301a88b98
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:18:22 2021 +0100
Remove handling for old, unsupported OpenSSL versions
---
.../TestOpenSSLCipherConfigurationParser.java | 42 +++++-----------------
.../util/net/openssl/ciphers/TesterOpenSSL.java | 16 ++-------
2 files changed, 12 insertions(+), 46 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 8fa66df..0400f1d 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -27,23 +27,13 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testDEFAULT() throws Exception {
- if (TesterOpenSSL.VERSION < 10100) {
- // Account for classes of ciphers removed from DEFAULT in 1.1.0
- testSpecification("DEFAULT:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES");
- } else {
- testSpecification("DEFAULT");
- }
+ testSpecification("DEFAULT");
}
@Test
public void testCOMPLEMENTOFDEFAULT() throws Exception {
- if (TesterOpenSSL.VERSION < 10100) {
- // Account for classes of ciphers removed from DEFAULT in 1.1.0
- testSpecification("COMPLEMENTOFDEFAULT:RC4:DSS:SEED:IDEA:CAMELLIA:AESCCM:aNULL:3DES");
- } else {
- testSpecification("COMPLEMENTOFDEFAULT");
- }
+ testSpecification("COMPLEMENTOFDEFAULT");
}
@@ -137,10 +127,7 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testkDHE() throws Exception {
- // This alias was introduced in 1.0.2
- if (TesterOpenSSL.VERSION >= 10002) {
- testSpecification("kDHE");
- }
+ testSpecification("kDHE");
}
@@ -152,10 +139,7 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testDHE() throws Exception {
- // This alias was introduced in 1.0.2
- if (TesterOpenSSL.VERSION >= 10002) {
- testSpecification("DHE");
- }
+ testSpecification("DHE");
}
@@ -300,27 +284,19 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testTLSv1() throws Exception {
- // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require
- // TLSv1 rather than being an alias for SSLv3
- if (TesterOpenSSL.VERSION >= 10100) {
- testSpecification("TLSv1");
- }
+ testSpecification("TLSv1");
}
@Test
- public void testSSLv2() throws Exception {
- testSpecification("SSLv2");
+ public void testSSLv3() throws Exception {
+ testSpecification("SSLv3");
}
@Test
- public void testSSLv3() throws Exception {
- // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require
- // TLSv1 rather than being an alias for SSLv3
- if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("SSLv3:TLSv1");
- }
+ public void testSSLv2() throws Exception {
+ testSpecification("SSLv2");
}
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index fe30d7f..946302a 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -253,19 +253,9 @@ public class TesterOpenSSL {
// Standard command to list the ciphers
args.add("ciphers");
args.add("-v");
- if (VERSION < 10100) {
- // Need to exclude the GOST ciphers
- if (specification == null) {
- specification = "DEFAULT:!aGOST";
- } else {
- specification = "!aGOST:" + specification;
- }
- }
- if (VERSION >= 10101) {
- // Need to exclude the TLSv1.3 ciphers
- args.add("-ciphersuites");
- args.add("");
- }
+ // Need to exclude the TLSv1.3 ciphers
+ args.add("-ciphersuites");
+ args.add("");
// Include the specification if provided
if (specification != null) {
args.add(specification);
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/04: Better version matching for OpenSSL 3.x
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2a2f3a2ce7d153f9b964ecf617b9b8d0728c45df
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:00 2021 +0100
Better version matching for OpenSSL 3.x
---
test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
index 88d2b46..fe30d7f 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
@@ -49,10 +49,10 @@ public class TesterOpenSSL {
} catch (IOException e) {
versionString = "";
}
- if (versionString.startsWith("OpenSSL 3.1.0")) {
+ if (versionString.startsWith("OpenSSL 3.1.")) {
// Note: Gump currently tests 10.x with OpenSSL 3.1.x
VERSION = 30100;
- } else if (versionString.startsWith("OpenSSL 3.0.0")) {
+ } else if (versionString.startsWith("OpenSSL 3.0.")) {
VERSION = 30000;
} else if (versionString.startsWith("OpenSSL 1.1.1")) {
// LTS
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org