(tomcat) branch 11.0.x updated: Make TLS 1.2 explicit for SSLHostConfigCompat

Thu, 25 Sep 2025 05:55:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 29f5680411 Make TLS 1.2 explicit for SSLHostConfigCompat
29f5680411 is described below

commit 29f5680411f53dc7157ce170cbb8c140593cbb17
Author: remm <[email protected]>
AuthorDate: Thu Sep 25 14:41:21 2025 +0200

    Make TLS 1.2 explicit for SSLHostConfigCompat
    
    The test uses TLS 1.2 cipher suites. This makes JSSE use TLS 1.2
    automatically.
    Make it more explicit however for better understanding.
    Add a hook to configure TLS 1.2, this can always be useful.
---
 .../tomcat/util/net/TestSSLHostConfigCompat.java   | 22 +++++++++++-----------
 test/org/apache/tomcat/util/net/TesterSupport.java |  8 ++++++--
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java 
b/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
index f22943aa3f..e43fde7f9a 100644
--- a/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
+++ b/test/org/apache/tomcat/util/net/TestSSLHostConfigCompat.java
@@ -106,7 +106,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -123,7 +123,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -140,7 +140,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -157,7 +157,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -169,7 +169,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -181,7 +181,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -193,7 +193,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostRSA();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] {
                 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
@@ -207,7 +207,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -219,7 +219,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an EC certificate on the server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] 
{"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
 
         doTest(false);
@@ -231,7 +231,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
         configureHostEC();
 
         // Configure cipher suite that requires an RSA certificate on the 
server
-        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl();
+        ClientSSLSocketFactory clientSSLSocketFactory = 
TesterSupport.configureClientSsl(true);
         clientSSLSocketFactory.setCipher(new String[] {
                 "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
                 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"});
@@ -288,7 +288,7 @@ public class TestSSLHostConfigCompat extends TomcatBaseTest 
{
 
     private void doTest(boolean configureClientSsl) throws Exception {
         if (configureClientSsl) {
-            TesterSupport.configureClientSsl();
+            TesterSupport.configureClientSsl(true);
         }
 
         Tomcat tomcat = getTomcatInstance();
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java 
b/test/org/apache/tomcat/util/net/TesterSupport.java
index 1552b23800..684980afd3 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -175,11 +175,15 @@ public final class TesterSupport {
     }
 
     public static ClientSSLSocketFactory configureClientSsl() {
+        return configureClientSsl(false);
+    }
+
+    public static ClientSSLSocketFactory configureClientSsl(boolean 
forceTls12) {
         ClientSSLSocketFactory clientSSLSocketFactory = null;
         try {
             SSLContext sc;
-            if (TLSV13_AVAILABLE) {
-                 sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
+            if (TLSV13_AVAILABLE && !forceTls12) {
+                sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
             } else {
                 sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_2);
             }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to