Re: [PR] Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify… [tomcat]

via GitHub Tue, 31 Mar 2026 07:08:05 -0700


ChristopherSchultz commented on code in PR #973:
URL: https://github.com/apache/tomcat/pull/973#discussion_r3016159052



##########
test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java:
##########
@@ -95,6 +101,44 @@ private void doTestIgnoreProtocol(String protocol) throws 
Exception {
         Assert.assertEquals("TLSv1.2", enabledProtocols[0]);
     }
 
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls13ClientTls12() throws 
Exception {

Review Comment:
   This method doesn't set the client protocols; only the server. Can we make 
this explicit for the test?



##########
test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java:
##########
@@ -95,6 +101,44 @@ private void doTestIgnoreProtocol(String protocol) throws 
Exception {
         Assert.assertEquals("TLSv1.2", enabledProtocols[0]);
     }
 
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls13ClientTls12() throws 
Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+        sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_3);
+
+        Context ctx = getProgrammaticRootContext();
+        Tomcat.addServlet(ctx, "hello", new HelloWorldServlet());
+        ctx.addServletMappingDecoded("/", "hello");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        TesterSupport.configureClientSsl(true);
+
+        getUrl("https://localhost:"; + getPort() + "/");
+    }
+
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls12ClientTls13() throws 
Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+        sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_2);
+
+        Context ctx = getProgrammaticRootContext();
+        Tomcat.addServlet(ctx, "hello", new HelloWorldServlet());
+        ctx.addServletMappingDecoded("/", "hello");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
+        sc.init(null, new TrustManager[] { new TesterSupport.TrustAllCerts() 
}, null);
+        TesterSupport.ClientSSLSocketFactory clientSSLSocketFactory = new 
TesterSupport.ClientSSLSocketFactory(sc.getSocketFactory());
+        clientSSLSocketFactory.setProtocols(new String[] { 
Constants.SSL_PROTO_TLSv1_3 });

Review Comment:
   Client and server have different style interfaces (SSLHostConfig String vs 
TesterSupport String[]). Is this intentional? If it good/okay, or should we 
align them?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify… [tomcat]

Reply via email to