This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 5f01166625 Fix TLS group configuration with OpenSSL + Native
5f01166625 is described below
commit 5f01166625e90a41124e57944f36a04833a62928
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 15 18:16:19 2026 +0100
Fix TLS group configuration with OpenSSL + Native
---
java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java | 4 ++++
java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 9 +++++++++
webapps/docs/changelog.xml | 5 +++++
3 files changed, 18 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
index c6215c1661..4ceb6b3ca9 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
@@ -34,6 +34,10 @@ public class OpenSSLConfCmd implements Serializable {
/** Sets OCSP verify flags. */
public static final String OCSP_VERIFY_FLAGS = "OCSP_VERIFY_FLAGS";
+ // Standard commands used internally by Tomcat. May also be used by users.
+ /** Sets TLS groups. */
+ public static final String GROUPS = "groups";
+
@Serial
private static final long serialVersionUID = 1L;
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index b1da97f139..49f38fb241 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -126,6 +126,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
*/
sslHostConfig.setOpenSslConf(new OpenSSLConf());
}
+ // Groups list is also passed via OpenSSLConf
+ if (sslHostConfig.getOpenSslConf() == null &&
sslHostConfig.getGroupList() != null) {
+ sslHostConfig.setOpenSslConf(new OpenSSLConf());
+ }
if (sslHostConfig.getOpenSslConf() != null) {
try {
if (log.isTraceEnabled()) {
@@ -413,6 +417,11 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
Integer.toString(sslHostConfig.getOcspVerifyFlags())));
}
+ if (sslHostConfig.getGroupList() != null) {
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.GROUPS,
+ sslHostConfig.getGroups().replace(',', ':')));
+ }
+
if (negotiableProtocols != null && !negotiableProtocols.isEmpty())
{
List<String> protocols = new ArrayList<>(negotiableProtocols);
protocols.add("http/1.1");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2181f84ce9..f8b0ff2b98 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -134,6 +134,11 @@
Log a suitable warning if an encrypted PEM file is detected using an
insecure form for encryption. (markt)
</add>
+ <fix>
+ If TLS groups have been configured, use the configured groups rather
+ than using OpenSSL's default TLS groups when using Tomcat Native with
+ OpenSSL based connectors. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Cluster">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
