Re: Unit Test TestOpenSSLCipherConfigurationParser fails for OpenSSL 3.1.0-alpha1

Mon, 05 Dec 2022 07:01:53 -0800 

Fixed.
The changes are in the current OpenSSL main development branch which (currently) is configured to be 3.2.x. 

Mark


On 05/12/2022 11:16, Rainer Jung wrote:

Hi there,


the following tests fail for me when using tcnative 2.0.2 build against 
OpenSSL 3.1.0-alpha1:


testHIGH: Expected 127 ciphers but got 137 for the specification 'HIGH'

testMEDIUM: Expected 10 ciphers but got 0 for the specification 'MEDIUM'


testSpecification01: Expected 115 ciphers but got 125 for the 
specification 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5'



In all three cases the reason seems to be, that the following ciphers 
have moved from MEDIUM to HIGH:


TLS_DHE_RSA_WITH_AES_128_CCM_8
TLS_DHE_RSA_WITH_AES_256_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
TLS_PSK_DHE_WITH_AES_128_CCM_8
TLS_PSK_DHE_WITH_AES_256_CCM_8
TLS_PSK_WITH_AES_128_CCM_8
TLS_PSK_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_256_CCM_8

I could verify this by running:

/path/to/openssl301/bin/openssl ciphers -v HIGH|grep 'CCM8'|sort


AES128-CCM8                    TLSv1.2 Kx=RSA      Au=RSA 
Enc=AESCCM8(128)           Mac=AEAD
AES256-CCM8                    TLSv1.2 Kx=RSA      Au=RSA 
Enc=AESCCM8(256)           Mac=AEAD
DHE-PSK-AES128-CCM8            TLSv1.2 Kx=DHEPSK   Au=PSK 
Enc=AESCCM8(128)           Mac=AEAD
DHE-PSK-AES256-CCM8            TLSv1.2 Kx=DHEPSK   Au=PSK 
Enc=AESCCM8(256)           Mac=AEAD
DHE-RSA-AES128-CCM8            TLSv1.2 Kx=DH       Au=RSA 
Enc=AESCCM8(128)           Mac=AEAD
DHE-RSA-AES256-CCM8            TLSv1.2 Kx=DH       Au=RSA 
Enc=AESCCM8(256)           Mac=AEAD
ECDHE-ECDSA-AES128-CCM8        TLSv1.2 Kx=ECDH     Au=ECDSA 
Enc=AESCCM8(128)           Mac=AEAD
ECDHE-ECDSA-AES256-CCM8        TLSv1.2 Kx=ECDH     Au=ECDSA 
Enc=AESCCM8(256)           Mac=AEAD
PSK-AES128-CCM8                TLSv1.2 Kx=PSK      Au=PSK 
Enc=AESCCM8(128)           Mac=AEAD
PSK-AES256-CCM8                TLSv1.2 Kx=PSK      Au=PSK 
Enc=AESCCM8(256)           Mac=AEAD


It seems these are the same ciphers that changed from MEDIUM to high.

Our change lowering those ciphers to MEDIUM in our code was

https://github.com/apache/tomcat/commit/4e20c36e399a61ad173f850fcb7acc863ea4b076

which seems to have been triggered by the OpenSSL changes

https://github.com/openssl/openssl/commit/1a473d1cc67e04ae9fea517b36dc332143250cf5

https://github.com/openssl/openssl/commit/56ffcce492ffc6f36b2f0d9431e23febe054dd04

https://github.com/openssl/openssl/commit/e07102220afe4059bc45aa3d7073b7678329e26e


But these changes on the OpenSSL main branch are not part of the 3.1 
branch.


Best regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to