On 16/02/2015 11:18, Rainer Jung wrote: > Am 16.02.2015 um 11:30 schrieb Mark Thomas: >> On 16/02/2015 10:19, Rainer Jung wrote: >>> Am 16.02.2015 um 08:49 schrieb Bill Barker: >>> >>>> [concat] Testsuites with failed tests: >>>> [concat] >>>> TEST-org.apache.catalina.loader.TestWebappClassLoaderThreadLocalMemoryLeak.NIO2.txt >>>> >>>> >>>> [concat] >>>> TEST-org.apache.tomcat.util.net.jsse.openssl.TestCipher.NIO2.txt >>>> [concat] >>>> TEST-org.apache.tomcat.util.net.jsse.openssl.TestOpenSSLCipherConfigurationParser.NIO2.txt >>>> >>>> >>> >>> For the openssl falures, it seems that for OpenSSL 1.0.2 compatibility >>> at least the following ciphers have to be added to Ciphers.java: >>> >>> SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA >>> SSL_DH_DSS_WITH_DES_CBC_SHA >>> SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL_DH_RSA_WITH_DES_CBC_SHA >>> TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA >>> TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA >>> TLS_DH_DSS_WITH_AES_128_CBC_SHA >>> TLS_DH_DSS_WITH_AES_128_CBC_SHA256 >>> TLS_DH_DSS_WITH_AES_128_GCM_SHA256 >>> TLS_DH_DSS_WITH_AES_256_CBC_SHA >>> TLS_DH_DSS_WITH_AES_256_CBC_SHA256 >>> TLS_DH_DSS_WITH_AES_256_GCM_SHA384 >>> TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA >>> TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA >>> TLS_DH_DSS_WITH_DES_CBC_SHA >>> TLS_DH_DSS_WITH_SEED_CBC_SHA >>> TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA >>> TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA >>> TLS_DH_RSA_WITH_AES_128_CBC_SHA >>> TLS_DH_RSA_WITH_AES_128_CBC_SHA256 >>> TLS_DH_RSA_WITH_AES_128_GCM_SHA256 >>> TLS_DH_RSA_WITH_AES_256_CBC_SHA >>> TLS_DH_RSA_WITH_AES_256_CBC_SHA256 >>> >>> I can do it over the week. >> >> Hmm. I only checked that last one but it is already listed in Ciphers. >> Looking at the names, I'd expect most if not all of them to be there >> already. >> >> I wonder if this is a case of fixing the name mappings and/or the "what >> ciphers are implemented where" lists? > > You are right: the ciphers that 1.0.2 knows and are not in Ciphers.java > are not the ones that the unit test complains about. I have to stop > investigation soon, but will come back later. Some seem to need SSLv3 > instead of TLS, others I don't understand yet. > > Note that the tests haven't run on Gump before today. > > I'll come back to this later.
I've just been through it and it is as simple as: - adding the newly implemented ciphers to the list IBM does not support - removing them from the list OpenSSL doesn't support. I have a commit ready to go to fix this just as soon as I fix the conflict that has just appeared. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org