(tomcat) branch 9.0.x updated: Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify handshake failure when server and client support different protocol versions

dsoumis Tue, 31 Mar 2026 07:12:14 -0700

This is an automated email from the ASF dual-hosted git repository.

dsoumis pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 61b4012ace Add TLS version mismatch tests to TestSSLHostConfigProtocol 
to verify handshake failure when server and client support different protocol 
versions
61b4012ace is described below

commit 61b4012ace1005c8d215af13aba2bead17d0db89
Author: Dimitris Soumis <[email protected]>
AuthorDate: Tue Mar 31 16:19:30 2026 +0300

    Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify 
handshake failure when server and client support different protocol versions
---
 .../tomcat/util/net/TestSSLHostConfigProtocol.java | 44 ++++++++++++++++++++++
 test/org/apache/tomcat/util/net/TesterSupport.java | 13 +++++++
 2 files changed, 57 insertions(+)

diff --git a/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java 
b/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java
index 2db6cde512..b90d5a59d0 100644
--- a/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java
+++ b/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java
@@ -20,12 +20,18 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManager;
+
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
 import org.junit.runners.Parameterized.Parameter;
 
+import org.apache.catalina.Context;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
@@ -95,6 +101,44 @@ public class TestSSLHostConfigProtocol extends 
TomcatBaseTest {
         Assert.assertEquals("TLSv1.2", enabledProtocols[0]);
     }
 
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls13ClientTls12() throws 
Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+        sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_3);
+
+        Context ctx = getProgrammaticRootContext();
+        Tomcat.addServlet(ctx, "hello", new HelloWorldServlet());
+        ctx.addServletMappingDecoded("/", "hello");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        TesterSupport.configureClientSsl(true);
+
+        getUrl("https://localhost:"; + getPort() + "/");
+    }
+
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls12ClientTls13() throws 
Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+        sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_2);
+
+        Context ctx = getProgrammaticRootContext();
+        Tomcat.addServlet(ctx, "hello", new HelloWorldServlet());
+        ctx.addServletMappingDecoded("/", "hello");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
+        sc.init(null, new TrustManager[] { new TesterSupport.TrustAllCerts() 
}, null);
+        TesterSupport.ClientSSLSocketFactory clientSSLSocketFactory = new 
TesterSupport.ClientSSLSocketFactory(sc.getSocketFactory());
+        clientSSLSocketFactory.setProtocols(new String[] { 
Constants.SSL_PROTO_TLSv1_3 });
+        HttpsURLConnection.setDefaultSSLSocketFactory(clientSSLSocketFactory);
+
+        getUrl("https://localhost:"; + getPort() + "/");
+    }
+
 
     private SSLHostConfig getSSLHostConfig() {
         Tomcat tomcat = getTomcatInstance();
diff --git a/test/org/apache/tomcat/util/net/TesterSupport.java 
b/test/org/apache/tomcat/util/net/TesterSupport.java
index 89c9b88319..ec3373b957 100644
--- a/test/org/apache/tomcat/util/net/TesterSupport.java
+++ b/test/org/apache/tomcat/util/net/TesterSupport.java
@@ -678,6 +678,7 @@ public final class TesterSupport {
         private final SSLSocketFactory delegate;
 
         private String[] ciphers = null;
+        private String[] protocols = null;
 
 
         public ClientSSLSocketFactory(SSLSocketFactory delegate) {
@@ -693,6 +694,15 @@ public final class TesterSupport {
             this.ciphers = ciphers;
         }
 
+        /**
+         * Forces the use of the specified protocols.
+         *
+         * @param protocols Array of standard protocols to use
+         */
+        public void setProtocols(String[] protocols) {
+            this.protocols = protocols;
+        }
+
         @Override
         public Socket createSocket(Socket s, String host, int port, boolean 
autoClose) throws IOException {
             Socket result = delegate.createSocket(s, host, port, autoClose);
@@ -744,6 +754,9 @@ public final class TesterSupport {
             if (ciphers != null) {
                 ((SSLSocket) socket).setEnabledCipherSuites(ciphers);
             }
+            if (protocols != null) {
+                ((SSLSocket) socket).setEnabledProtocols(protocols);
+            }
             return socket;
         }
     }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 9.0.x updated: Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify handshake failure when server and client support different protocol versions

Reply via email to