You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/09/27 08:20:38 UTC
[tomcat] 02/04: OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7769bca25ee85ff7552daccf21b55d8c6cf1f439
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 27 09:13:46 2021 +0100
OpenSSL moved AESCCM8 ciphers from HIGH to MEDIUM
---
.../tomcat/util/net/openssl/ciphers/Cipher.java | 22 +++++++++++-----------
.../TestOpenSSLCipherConfigurationParser.java | 21 ++++++++++++++++++---
webapps/docs/changelog.xml | 4 ++++
3 files changed, 33 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
index 37dceee..ea64076 100644
--- a/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
+++ b/java/org/apache/tomcat/util/net/openssl/ciphers/Cipher.java
@@ -2776,7 +2776,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_3,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
true,
128,
128,
@@ -4432,7 +4432,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4449,7 +4449,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4466,7 +4466,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4483,7 +4483,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4568,7 +4568,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4585,7 +4585,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4602,7 +4602,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4619,7 +4619,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
@@ -4671,7 +4671,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
128,
128,
@@ -4688,7 +4688,7 @@ public enum Cipher {
MessageDigest.AEAD,
Protocol.TLSv1_2,
false,
- EncryptionLevel.HIGH,
+ EncryptionLevel.MEDIUM,
false,
256,
256,
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index a03d97b..8fa66df 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -73,13 +73,23 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testHIGH() throws Exception {
- testSpecification("HIGH");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8");
+ } else {
+ testSpecification("HIGH");
+ }
}
@Test
public void testMEDIUM() throws Exception {
- testSpecification("MEDIUM");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("MEDIUM:AESCCM8");
+ } else {
+ testSpecification("MEDIUM");
+ }
}
@@ -555,7 +565,12 @@ public class TestOpenSSLCipherConfigurationParser {
// Tomcat 8 default as of 2014-08-04
// This gets an A- from https://www.ssllabs.com/ssltest with no FS for
// a number of the reference browsers
- testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ if (TesterOpenSSL.VERSION < 30100) {
+ // OpenSSL 3.1.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ } else {
+ testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6d7afcb..d9622dd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -151,6 +151,10 @@
<bug>65577</bug>: Fix a <code>AccessControlException</code> reporting
when running an NIO2 connector with TLS enabled. (markt)
</fix>
+ <update>
+ Reclassify TLS ciphers that use AESCCM8 as medium security rather than
+ high security to align with recent changes in OpenSSL. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org