Author: markt Date: Wed Mar 2 21:38:38 2016 New Revision: 1733373 URL: http://svn.apache.org/viewvc?rev=1733373&view=rev Log: kECDHE and ECDHE are now supported.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java?rev=1733373&r1=1733372&r2=1733373&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java Wed Mar 2 21:38:38 2016 @@ -426,8 +426,12 @@ public class OpenSSLCipherConfigurationP addListAlias(kECDHe, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHe))); addListAlias(kECDH, filterByKeyExchange(allCiphers, new HashSet<>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr)))); addListAlias(ECDH, filterByKeyExchange(allCiphers, new HashSet<>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr, KeyExchange.EECDH)))); - addListAlias(kECDHE, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.ECDHe))); - aliases.put(ECDHE, aliases.get(kECDHE)); + addListAlias(kECDHE, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH))); + + Set<Cipher> ecdhe = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)); + remove(ecdhe, aNULL); + addListAlias(ECDHE, ecdhe); + addListAlias(kEECDH, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH))); aliases.put(EECDHE, aliases.get(kEECDH)); Set<Cipher> eecdh = filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.EECDH)); @@ -526,7 +530,7 @@ public class OpenSSLCipherConfigurationP ciphers.addAll(aliases.get(alias)); } - static void remove(final LinkedHashSet<Cipher> ciphers, final String alias) { + static void remove(final Set<Cipher> ciphers, final String alias) { ciphers.removeAll(aliases.get(alias)); } @@ -550,6 +554,10 @@ public class OpenSSLCipherConfigurationP return result; } + /* + * See + * https://github.com/openssl/openssl/blob/7c96dbcdab959fef74c4caae63cdebaa354ab252/ssl/ssl_ciph.c#L1371 + */ static LinkedHashSet<Cipher> defaultSort(final LinkedHashSet<Cipher> ciphers) { final LinkedHashSet<Cipher> result = new LinkedHashSet<>(ciphers.size()); /* Now arrange all ciphers by preference: */ @@ -564,9 +572,6 @@ public class OpenSSLCipherConfigurationP /* Temporarily enable everything else for sorting */ result.addAll(ciphers); - /* Low priority for SSLv2 */ - moveToEnd(result, filterByProtocol(result, Collections.singleton(Protocol.SSLv2))); - /* Low priority for MD5 */ moveToEnd(result, filterByMessageDigest(result, Collections.singleton(MessageDigest.MD5))); @@ -579,7 +584,7 @@ public class OpenSSLCipherConfigurationP moveToEnd(result, filterByAuthentication(result, Collections.singleton(Authentication.ECDH))); moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.RSA))); moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.PSK))); - moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.KRB5))); + /* RC4 is sort-of broken -- move the the end */ moveToEnd(result, filterByEncryption(result, Collections.singleton(Encryption.RC4))); return strengthSort(result); Modified: tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java?rev=1733373&r1=1733372&r2=1733373&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java Wed Mar 2 21:38:38 2016 @@ -281,14 +281,12 @@ public class TestOpenSSLCipherConfigurat @Test - @Ignore("Contrary to the docs, OpenSSL does not recognise kECDHE") public void testkECDHE() throws Exception { testSpecification("kECDHE"); } @Test - @Ignore("Contrary to the docs, OpenSSL does not recognise ECDHE") public void testECDHE() throws Exception { testSpecification("ECDHE"); } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1733373&r1=1733372&r2=1733373&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 2 21:38:38 2016 @@ -164,6 +164,10 @@ shutdown if the Poller experiences an error during the shutdown process. (markt) </fix> + <fix> + Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with + the current OpenSSL implementation. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org