This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 1.3.x
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/1.3.x by this push:
new a015390a8 Refactor TLS 1.3 cipher suite configuration support
a015390a8 is described below
commit a015390a8947ba051d4766d75563833db14e37fd
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Dec 19 13:21:38 2025 +0000
Refactor TLS 1.3 cipher suite configuration support
Align SSL and SSLContext implementations
---
native/src/ssl.c | 77 +++++++++++++++++++++++++++++++------
native/src/sslcontext.c | 80 +++++++++++++++++++++++++--------------
xdocs/miscellaneous/changelog.xml | 11 +++++-
3 files changed, 128 insertions(+), 40 deletions(-)
diff --git a/native/src/ssl.c b/native/src/ssl.c
index 61a932644..335da50c6 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -1659,32 +1659,87 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL,
getCiphers)(TCN_STDARGS, jlong ssl)
}
TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
- jstring ciphers)
+ jstring cipherList)
{
- jboolean rv = JNI_TRUE;
SSL *ssl_ = J2P(ssl, SSL *);
- TCN_ALLOC_CSTRING(ciphers);
-
- UNREFERENCED_STDARGS;
+ TCN_ALLOC_CSTRING(cipherList);
+ jboolean rv = JNI_TRUE;
+ #ifndef HAVE_EXPORT_CIPHERS
+ size_t len;
+ char *buf;
+ #endif
+ UNREFERENCED(o);
if (ssl_ == NULL) {
- TCN_FREE_CSTRING(ciphers);
+ TCN_FREE_CSTRING(cipherList);
tcn_ThrowException(e, "ssl is null");
return JNI_FALSE;
}
+ if (!J2S(cipherList)) {
+ rv = JNI_FALSE;
+ goto free_cipherList;
+ }
+
+#ifndef HAVE_EXPORT_CIPHERS
+ /*
+ * Always disable NULL and export ciphers,
+ * no matter what was given in the config.
+ */
+ len = strlen(J2S(cipherList)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+ buf = malloc(len * sizeof(char *));
+ if (buf == NULL) {
+ rv = JNI_FALSE;
+ goto free_cipherList;
+ }
+ memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED,
strlen(SSL_CIPHERS_ALWAYS_DISABLED));
+ memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(cipherList),
strlen(J2S(cipherList)));
+ buf[len - 1] = '\0';
+ if (!SSL_set_cipher_list(ssl_, buf)) {
+#else
+ if (!SSL_set_cipher_list(ssl_, J2S(cipherList))) {
+#endif
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
+ tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
+ rv = JNI_FALSE;
+ }
+#ifndef HAVE_EXPORT_CIPHERS
+ free(buf);
+#endif
+free_cipherList:
+ TCN_FREE_CSTRING(cipherList);
+ return rv;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuitesEx)(TCN_STDARGS, jlong ssl,
+ jstring cipherSuites)
+{
+ SSL *ssl_ = J2P(ssl, SSL *);
+ TCN_ALLOC_CSTRING(cipherSuites);
+ jboolean rv = JNI_TRUE;
UNREFERENCED(o);
- if (!J2S(ciphers)) {
- TCN_FREE_CSTRING(ciphers);
+
+ if (ssl_ == NULL) {
+ TCN_FREE_CSTRING(cipherSuites);
+ tcn_ThrowException(e, "ssl is null");
return JNI_FALSE;
}
- if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) {
+
+ if (!J2S(cipherSuites)) {
+ rv = JNI_FALSE;
+ goto free_cipherSuites;
+ }
+
+ if (!SSL_set_ciphersuites(ssl_, J2S(cipherSuites))) {
char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
- tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
+ tcn_Throw(e, "Unable to configure permitted SSL cipher suites (%s)",
err);
rv = JNI_FALSE;
}
- TCN_FREE_CSTRING(ciphers);
+
+free_cipherSuites:
+ TCN_FREE_CSTRING(cipherSuites);
return rv;
}
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 577b86cbf..5ad137193 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -514,54 +514,46 @@ TCN_IMPLEMENT_CALL(void, SSLContext,
setQuietShutdown)(TCN_STDARGS, jlong ctx,
}
TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong
ctx,
- jstring ciphers)
+ jstring cipherList)
{
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
- TCN_ALLOC_CSTRING(ciphers);
+ TCN_ALLOC_CSTRING(cipherList);
jboolean rv = JNI_TRUE;
- int minProtoVer = 0;
- int maxProtoVer = 0;
- int ciphersSet = 0;
#ifndef HAVE_EXPORT_CIPHERS
size_t len;
char *buf;
#endif
-
UNREFERENCED(o);
- TCN_ASSERT(ctx != 0);
- if (!J2S(ciphers))
+
+ if (c == NULL) {
+ TCN_FREE_CSTRING(cipherList);
+ tcn_ThrowException(e, "ssl context is null");
return JNI_FALSE;
+ }
- minProtoVer = SSL_CTX_get_min_proto_version(c->ctx);
- maxProtoVer = SSL_CTX_get_max_proto_version(c->ctx);
+ if (!J2S(cipherList)) {
+ rv = JNI_FALSE;
+ goto free_cipherList;
+ }
#ifndef HAVE_EXPORT_CIPHERS
/*
* Always disable NULL and export ciphers,
* no matter what was given in the config.
*/
- len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+ len = strlen(J2S(cipherList)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
buf = malloc(len * sizeof(char *));
- if (buf == NULL)
- return JNI_FALSE;
+ if (buf == NULL) {
+ rv = JNI_FALSE;
+ goto free_cipherList;
+ }
memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED,
strlen(SSL_CIPHERS_ALWAYS_DISABLED));
- memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers),
strlen(J2S(ciphers)));
+ memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(cipherList),
strlen(J2S(cipherList)));
buf[len - 1] = '\0';
+ if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
#else
- buf = (char*)J2S(ciphers);
+ if (!SSL_CTX_set_cipher_list(c->ctx, J2S(cipherList))) {
#endif
- /* OpenSSL will ignore any unknown cipher, but TLS 1.3 requires a call to
SSL_CTX_set_ciphersuites */
- if (minProtoVer <= TLS1_2_VERSION) {
- if (SSL_CTX_set_cipher_list(c->ctx, buf)) {
- ciphersSet = 1;
- }
- }
- if (maxProtoVer >= TLS1_3_VERSION) {
- if (SSL_CTX_set_ciphersuites(c->ctx, buf)) {
- ciphersSet = 1;
- }
- }
- if (!ciphersSet) {
char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
@@ -570,7 +562,39 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
#ifndef HAVE_EXPORT_CIPHERS
free(buf);
#endif
- TCN_FREE_CSTRING(ciphers);
+free_cipherList:
+ TCN_FREE_CSTRING(cipherList);
+ return rv;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuitesEx)(TCN_STDARGS, jlong
ctx,
+ jstring cipherSuites)
+{
+ tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+ TCN_ALLOC_CSTRING(cipherSuites);
+ jboolean rv = JNI_TRUE;
+ UNREFERENCED(o);
+
+ if (c == NULL) {
+ TCN_FREE_CSTRING(cipherSuites);
+ tcn_ThrowException(e, "ssl context is null");
+ return JNI_FALSE;
+ }
+
+ if (!J2S(cipherSuites)) {
+ rv = JNI_FALSE;
+ goto free_cipherSuites;
+ }
+
+ if (SSL_CTX_set_ciphersuites(c->ctx, J2S(cipherSuites))) {
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
+ tcn_Throw(e, "Unable to configure permitted SSL cipher suites (%s)",
err);
+ rv = JNI_FALSE;
+ }
+
+free_cipherSuites:
+ TCN_FREE_CSTRING(cipherSuites);
return rv;
}
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index 1431038e1..2c2647673 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -31,7 +31,16 @@
started from the 1.2.39 tag.
</p>
</section>
-<section name="Changes in 1.3.2">
+<section name="Changes in 1.3.3">
+ <changelog>
+ <fix>
+ Refactor the addition of TLS 1.3 cipher suite configuration to avoid a
+ regression when running a version of Tomcat that pre-dates this change.
+ (markt)
+ </fix>
+ </changelog>
+</section>
+<section name="Changes in 1.3.2 (not released)">
<changelog>
<update>
Rename configure.in to modern autotools style configure.ac. (rjung)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
