(tomcat) branch main updated: Improve algorithm for possible edge cases

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new c178a6135c Improve algorithm for possible edge cases
c178a6135c is described below

commit c178a6135cd95033359e8b42604e950a18bc11e5
Author: remm <r...@apache.org>
AuthorDate: Thu Sep 25 15:40:51 2025 +0200

    Improve algorithm for possible edge cases
    
    If no server groups and no client groups, do not setNamedGroups.
    If no client groups, use server groups.
---
 java/org/apache/tomcat/util/net/AbstractEndpoint.java | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
index a8adf955c2..923d0fa961 100644
--- a/java/org/apache/tomcat/util/net/AbstractEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractEndpoint.java
@@ -540,17 +540,24 @@ public abstract class AbstractEndpoint<S, U> {
         List<String> supportedGroups = new ArrayList<>();
         LinkedHashSet<Group> serverSupportedGroups = 
sslHostConfig.getGroupList();
         if (serverSupportedGroups != null) {
-            for (Group group : clientSupportedGroups) {
-                if (serverSupportedGroups.contains(group)) {
+            if (!clientSupportedGroups.isEmpty()) {
+                for (Group group : clientSupportedGroups) {
+                    if (serverSupportedGroups.contains(group)) {
+                        supportedGroups.add(group.toString());
+                    }
+                }
+            } else {
+                for (Group group : serverSupportedGroups) {
                     supportedGroups.add(group.toString());
                 }
             }
-        } else {
+            sslParameters.setNamedGroups(supportedGroups.toArray(new 
String[0]));
+        } else if (!clientSupportedGroups.isEmpty()) {
             for (Group group : clientSupportedGroups) {
                 supportedGroups.add(group.toString());
             }
+            sslParameters.setNamedGroups(supportedGroups.toArray(new 
String[0]));
         }
-        sslParameters.setNamedGroups(supportedGroups.toArray(new String[0]));
         switch (sslHostConfig.getCertificateVerification()) {
             case NONE:
                 sslParameters.setNeedClientAuth(false);


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org