Author: markt Date: Wed Mar 2 23:13:25 2016 New Revision: 1733390 URL: http://svn.apache.org/viewvc?rev=1733390&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59081 Retain the user defined cipher order when defining ciphers
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParserOnly.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1733390&r1=1733389&r2=1733390&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Wed Mar 2 23:13:25 2016 @@ -70,8 +70,8 @@ public abstract class SSLUtilBase implem // can be done at this point. enabled.addAll(configured); } else { - enabled.addAll(implemented); - enabled.retainAll(configured); + enabled.addAll(configured); + enabled.retainAll(implemented); if (enabled.isEmpty()) { // Don't use the defaults in this case. They may be less secure Modified: tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java?rev=1733390&r1=1733389&r2=1733390&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java Wed Mar 2 23:13:25 2016 @@ -695,7 +695,7 @@ public class OpenSSLCipherConfigurationP } } ciphers.removeAll(removedCiphers); - return defaultSort(ciphers); + return ciphers; } public static List<String> convertForJSSE(Collection<Cipher> ciphers) { Modified: tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParserOnly.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParserOnly.java?rev=1733390&r1=1733389&r2=1733390&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParserOnly.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParserOnly.java Wed Mar 2 23:13:25 2016 @@ -76,4 +76,21 @@ public class TestOpenSSLCipherConfigurat Assert.assertEquals(expected, result); } + + @Test + public void testCustomOrdering() throws Exception { + // https://bz.apache.org/bugzilla/show_bug.cgi?id=59081 + LinkedHashSet<Cipher> result = OpenSSLCipherConfigurationParser.parse( + "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:" + + "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA"); + LinkedHashSet<Cipher> expected = new LinkedHashSet<>(); + expected.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); + expected.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA); + expected.add(Cipher.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA); + expected.add(Cipher.TLS_DHE_RSA_WITH_AES_256_CBC_SHA); + expected.add(Cipher.TLS_DHE_RSA_WITH_AES_128_CBC_SHA); + expected.add(Cipher.TLS_RSA_WITH_3DES_EDE_CBC_SHA); + + Assert.assertEquals(expected.toString(), result.toString()); + } } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1733390&r1=1733389&r2=1733390&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 2 23:13:25 2016 @@ -168,6 +168,10 @@ Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with the current OpenSSL implementation. (markt) </fix> + <fix> + <bug>59081</bug>: Retain the user defined cipher order when defining + ciphers. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org