(tomcat) branch main updated: Make TLS 1.2 explicit for SSLHostConfigCompat

remm Thu, 25 Sep 2025 05:41:38 -0700

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/main by this push:
     new 9bc9a8665e Make TLS 1.2 explicit for SSLHostConfigCompat
9bc9a8665e is described below

commit 9bc9a8665eac72d3f05f11944d25d7d24bf3e43f
Author: remm <[email protected]>
AuthorDate: Thu Sep 25 14:41:21 2025 +0200

    Make TLS 1.2 explicit for SSLHostConfigCompat
    
    The test uses TLS 1.2 cipher suites. This makes JSSE use TLS 1.2
    automatically.
    Make it more explicit however for better understanding.
    Add a hook to configure TLS 1.2, this can always be useful.
---
 .../tomcat/util/net/TestSSLHostConfigCompat.java   | 22 +++++++++++-----------
 test/org/apache/tomcat/util/net/TesterSupport.java |  6 +++++-
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java 
b/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
index 20726a93dc..9290031c4b 100644
--- a/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
+++ b/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
@@ -106,7 +106,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -123,7 +123,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -140,7 +140,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -157,7 +157,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -169,7 +169,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -181,7 +181,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -193,7 +193,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] {
                 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
@@ -207,7 +207,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -219,7 +219,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -231,7 +231,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] {
                 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
                 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
@@ -292,7 +292,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
 
     private void doTest(boolean configureClientSsl) throws Exception {
         if (configureClientSsl) {
-            TesterSupport.configureClientSsl();
+            TesterSupport.configureClientSsl(true);
         }
 
         Tomcat tomcat = getTomcatInstance();
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java 
b/test/org/apache/tomcat/util/net/TesterSupport.java
index a2d0b929e4..cd1e3d0ded 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -178,10 +178,14 @@ public final class TesterSupport {
     }
 
     public static ClientSSLSocketFactory configureClientSsl() {
+        return configureClientSsl(false);
+    }
+
+    public static ClientSSLSocketFactory configureClientSsl(boolean 
forceTls12) {
         ClientSSLSocketFactory clientSSLSocketFactory = null;
         try {
             SSLContext sc;
-            if (TLSV13_AVAILABLE) {
+            if (TLSV13_AVAILABLE && !forceTls12) {
                 sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
             } else {
                 sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_2);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch main updated: Make TLS 1.2 explicit for SSLHostConfigCompat

Reply via email to