This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5a2f297dc5688581922728902344cca093ae7dd8 Author: Mark Thomas <[email protected]> AuthorDate: Fri May 15 18:16:19 2026 +0100 Fix TLS group configuration with OpenSSL + Native --- java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java | 4 ++++ java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 9 +++++++++ webapps/docs/changelog.xml | 5 +++++ 3 files changed, 18 insertions(+) diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java index c6215c1661..4ceb6b3ca9 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java @@ -34,6 +34,10 @@ public class OpenSSLConfCmd implements Serializable { /** Sets OCSP verify flags. */ public static final String OCSP_VERIFY_FLAGS = "OCSP_VERIFY_FLAGS"; + // Standard commands used internally by Tomcat. May also be used by users. + /** Sets TLS groups. */ + public static final String GROUPS = "groups"; + @Serial private static final long serialVersionUID = 1L; diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java index b1da97f139..49f38fb241 100644 --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java @@ -126,6 +126,10 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { */ sslHostConfig.setOpenSslConf(new OpenSSLConf()); } + // Groups list is also passed via OpenSSLConf + if (sslHostConfig.getOpenSslConf() == null && sslHostConfig.getGroupList() != null) { + sslHostConfig.setOpenSslConf(new OpenSSLConf()); + } if (sslHostConfig.getOpenSslConf() != null) { try { if (log.isTraceEnabled()) { @@ -413,6 +417,11 @@ public class OpenSSLContext implements org.apache.tomcat.util.net.SSLContext { Integer.toString(sslHostConfig.getOcspVerifyFlags()))); } + if (sslHostConfig.getGroupList() != null) { + sslHostConfig.getOpenSslConf().addCmd(new OpenSSLConfCmd(OpenSSLConfCmd.GROUPS, + sslHostConfig.getGroups().replace(',', ':'))); + } + if (negotiableProtocols != null && !negotiableProtocols.isEmpty()) { List<String> protocols = new ArrayList<>(negotiableProtocols); protocols.add("http/1.1"); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 58cb4aca8a..823d364e5b 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -262,6 +262,11 @@ Log a suitable warning if an encrypted PEM file is detected using an insecure form for encryption. (markt) </add> + <fix> + If TLS groups have been configured, use the configured groups rather + than using OpenSSL's default TLS groups when using Tomcat Native with + OpenSSL based connectors. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
