This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 80cc63946e Fix TLS group configuration with OpenSSL + Native
80cc63946e is described below
commit 80cc63946e603be2d41d75d2c668eafc11e5e20c
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 15 18:16:19 2026 +0100
Fix TLS group configuration with OpenSSL + Native
---
java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java | 4 ++++
java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java | 9 +++++++++
webapps/docs/changelog.xml | 5 +++++
3 files changed, 18 insertions(+)
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
index 3dd1948a7d..89dcd3ae5f 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLConfCmd.java
@@ -33,6 +33,10 @@ public class OpenSSLConfCmd implements Serializable {
/** Sets OCSP verify flags. */
public static final String OCSP_VERIFY_FLAGS = "OCSP_VERIFY_FLAGS";
+ // Standard commands used internally by Tomcat. May also be used by users.
+ /** Sets TLS groups. */
+ public static final String GROUPS = "groups";
+
private static final long serialVersionUID = 1L;
/** The command name. */
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index d923a2cf98..81a89dcfb5 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -126,6 +126,10 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
*/
sslHostConfig.setOpenSslConf(new OpenSSLConf());
}
+ // Groups list is also passed via OpenSSLConf
+ if (sslHostConfig.getOpenSslConf() == null &&
sslHostConfig.getGroupList() != null) {
+ sslHostConfig.setOpenSslConf(new OpenSSLConf());
+ }
if (sslHostConfig.getOpenSslConf() != null) {
try {
if (log.isTraceEnabled()) {
@@ -422,6 +426,11 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
Integer.toString(sslHostConfig.getOcspVerifyFlags())));
}
+ if (sslHostConfig.getGroupList() != null) {
+ sslHostConfig.getOpenSslConf().addCmd(new
OpenSSLConfCmd(OpenSSLConfCmd.GROUPS,
+ sslHostConfig.getGroups().replace(',', ':')));
+ }
+
if (negotiableProtocols != null && !negotiableProtocols.isEmpty())
{
List<String> protocols = new ArrayList<>(negotiableProtocols);
protocols.add("http/1.1");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 410d3d192a..54d972fa99 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -130,6 +130,11 @@
Log a suitable warning if an encrypted PEM file is detected using an
insecure form for encryption. (markt)
</add>
+ <fix>
+ If TLS groups have been configured, use the configured groups rather
+ than using OpenSSL's default TLS groups when using Tomcat Native with
+ OpenSSL based connectors. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Cluster">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
