Re: [PR] Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify… [tomcat]

via GitHub Tue, 31 Mar 2026 07:37:40 -0700


dsoumis commented on code in PR #973:
URL: https://github.com/apache/tomcat/pull/973#discussion_r3016348531



##########
test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java:
##########
@@ -95,6 +101,44 @@ private void doTestIgnoreProtocol(String protocol) throws 
Exception {
         Assert.assertEquals("TLSv1.2", enabledProtocols[0]);
     }
 
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls13ClientTls12() throws 
Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+        sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_3);
+
+        Context ctx = getProgrammaticRootContext();
+        Tomcat.addServlet(ctx, "hello", new HelloWorldServlet());
+        ctx.addServletMappingDecoded("/", "hello");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        TesterSupport.configureClientSsl(true);
+
+        getUrl("https://localhost:"; + getPort() + "/");
+    }
+
+    @Test(expected = SSLHandshakeException.class)
+    public void testTlsVersionMismatchServerTls12ClientTls13() throws 
Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+        sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_2);
+
+        Context ctx = getProgrammaticRootContext();
+        Tomcat.addServlet(ctx, "hello", new HelloWorldServlet());
+        ctx.addServletMappingDecoded("/", "hello");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
+        sc.init(null, new TrustManager[] { new TesterSupport.TrustAllCerts() 
}, null);
+        TesterSupport.ClientSSLSocketFactory clientSSLSocketFactory = new 
TesterSupport.ClientSSLSocketFactory(sc.getSocketFactory());
+        clientSSLSocketFactory.setProtocols(new String[] { 
Constants.SSL_PROTO_TLSv1_3 });

Review Comment:
   It's intentional in the test scenario because String[] is expected in 
SSLSocket.setEnabledProtocols(String[] protocols). 
SSLHostConfig.setProtocols(String input) on the other hand, delimits values 
from a single string. I suppose we are good as it is.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: [PR] Add TLS version mismatch tests to TestSSLHostConfigProtocol to verify… [tomcat]

Reply via email to