Author: markt Date: Tue Aug 11 11:15:39 2015 New Revision: 1695263 URL: http://svn.apache.org/r1695263 Log: Get unit tests passing (using Windows binaries linked from openssl.org) for 0.9.8, 1.0.0, 1.0.1 & 1.0.2.
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java Modified: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java?rev=1695263&r1=1695262&r2=1695263&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java Tue Aug 11 11:15:39 2015 @@ -73,7 +73,11 @@ public class TestCipher { */ @Test public void testOpenSSLCipherAvailability() throws Exception { - Set<String> availableCipherSuites = TesterOpenSSL.getOpenSSLCiphersAsSet("ALL:eNULL"); + // OpenSSL 0.9.8 does not include aNULL or eNULL in all. + // OpenSSL does not include ECDH/ECDHE ciphers in all and there is no + // EC alias. Use aRSA. + // OpenSSL 1.0.0 onwards does not include eNULL in all. + Set<String> availableCipherSuites = TesterOpenSSL.getOpenSSLCiphersAsSet("ALL:eNULL:aNULL:aRSA"); Set<String> expectedCipherSuites = new HashSet<>(); for (Cipher cipher : Cipher.values()) { if (TesterOpenSSL.OPENSSL_UNIMPLEMENTED_CIPHERS.contains(cipher)) { Modified: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1695263&r1=1695262&r2=1695263&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java Tue Aug 11 11:15:39 2015 @@ -28,7 +28,13 @@ public class TestOpenSSLCipherConfigurat public void testDEFAULT() throws Exception { // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old // behaviour - testSpecification("DEFAULT:!EXPORT"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA:!SSLv2:!eNULL as an EC alias isn't available) + testSpecification("DEFAULT:!EXPORT:aRSA:!SSLv2:!eNULL"); + } else { + testSpecification("DEFAULT:!EXPORT"); + } } @@ -36,19 +42,40 @@ public class TestOpenSSLCipherConfigurat public void testCOMPLEMENTOFDEFAULT() throws Exception { // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old // behaviour - testSpecification("COMPLEMENTOFDEFAULT:EXPORT"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL"); + } else { + testSpecification("COMPLEMENTOFDEFAULT:EXPORT"); + } } @Test public void testALL() throws Exception { - testSpecification("ALL"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled whereas + // later versions include it. + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA:kECDHr as an EC alias isn't available) + testSpecification("ALL:aNULL:aRSA:kECDHr"); + } else { + testSpecification("ALL"); + } } @Test public void testCOMPLEMENTOFALL() throws Exception { - testSpecification("COMPLEMENTOFALL"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled whereas + // later versions include it. + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA:kECDHr as an EC alias isn't available) + testSpecification("COMPLEMENTOFALL:!aNULL:!aRSA:!kECDHr"); + } else { + testSpecification("COMPLEMENTOFALL"); + } } @@ -60,19 +87,56 @@ public class TestOpenSSLCipherConfigurat @Test public void testeNULL() throws Exception { - testSpecification("eNULL"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("eNULL:eNULL+aNULL:eNULL+aRSA"); + } else { + testSpecification("eNULL"); + } } @Test public void testHIGH() throws Exception { - testSpecification("HIGH"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 describes the following ciphers as HIGH whereas + // later versions use MEDIUM + // TLS_ECDH_anon_WITH_RC4_128_SHA (AECDH-RC4-SHA) + // TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA) + // TLS_ECDH_RSA_WITH_RC4_128_SHA (ECDH-RSA-RC4-SHA) + // TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA) + // TLS_ECDH_RSA_WITH_NULL_SHA (ECDH-RSA-NULL-SHA) + // + // OpenSSL 0.9.8 describes TLS_ECDH_anon_WITH_NULL_SHA + // (AECDH-NULL-SHA) as HIGH whereas later versions use STRONG_NONE + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("HIGH:HIGH+aNULL:HIGH+aRSA:" + + "!AECDH-RC4-SHA:!ECDHE-RSA-RC4-SHA:!ECDH-RSA-RC4-SHA:!ECDHE-RSA-NULL-SHA:!ECDH-RSA-NULL-SHA:" + + "!AECDH-NULL-SHA"); + } else { + testSpecification("HIGH"); + } } @Test public void testMEDIUM() throws Exception { - testSpecification("MEDIUM"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 describes the following ciphers as HIGH whereas + // later versions use MEDIUM + // TLS_ECDH_anon_WITH_RC4_128_SHA (AECDH-RC4-SHA) + // TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA) + // TLS_ECDH_RSA_WITH_RC4_128_SHA (ECDH-RSA-RC4-SHA) + // TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA) + // TLS_ECDH_RSA_WITH_NULL_SHA (ECDH-RSA-NULL-SHA) + testSpecification("MEDIUM:AECDH-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-NULL-SHA:ECDH-RSA-NULL-SHA"); + } else { + testSpecification("MEDIUM"); + } } @@ -102,7 +166,12 @@ public class TestOpenSSLCipherConfigurat @Test public void testaRSA() throws Exception { - testSpecification("aRSA"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 treats kECDHr as aRSA + testSpecification("aRSA:kECDHr"); + } else { + testSpecification("aRSA"); + } } @@ -129,7 +198,10 @@ public class TestOpenSSLCipherConfigurat @Test public void testEDH() throws Exception { - testSpecification("EDH"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("EDH"); + } } @@ -162,7 +234,10 @@ public class TestOpenSSLCipherConfigurat @Test public void testkECDHr() throws Exception { - testSpecification("kECDHr"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("kECDHr"); + } } @@ -174,19 +249,28 @@ public class TestOpenSSLCipherConfigurat @Test public void testkECDH() throws Exception { - testSpecification("kECDH"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("kECDH"); + } } @Test public void testkEECDH() throws Exception { - testSpecification("kEECDH"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("kEECDH"); + } } @Test public void testECDH() throws Exception { - testSpecification("ECDH"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("ECDH"); + } } @@ -213,7 +297,10 @@ public class TestOpenSSLCipherConfigurat @Test public void testAECDH() throws Exception { - testSpecification("AECDH"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("AECDH"); + } } @@ -231,7 +318,10 @@ public class TestOpenSSLCipherConfigurat @Test public void testaECDH() throws Exception { - testSpecification("aECDH"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("aECDH"); + } } @@ -279,7 +369,14 @@ public class TestOpenSSLCipherConfigurat @Test public void testTLSv1() throws Exception { - testSpecification("TLSv1"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("TLSv1:TLSv1+aNULL:TLSv1+aRSA"); + } else { + testSpecification("TLSv1"); + } } @@ -291,7 +388,14 @@ public class TestOpenSSLCipherConfigurat @Test public void testSSLv3() throws Exception { - testSpecification("SSLv3"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("SSLv3:SSLv3+aNULL:SSLv3+aRSA"); + } else { + testSpecification("SSLv3"); + } } @@ -309,19 +413,32 @@ public class TestOpenSSLCipherConfigurat @Test public void testAES128() throws Exception { - testSpecification("AES128"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("AES128"); + } } @Test public void testAES256() throws Exception { - testSpecification("AES256"); + // This alias was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("AES256"); + } } @Test public void testAES() throws Exception { - testSpecification("AES"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("AES:AES+aNULL:AES+aRSA"); + } else { + testSpecification("AES"); + } } @@ -351,7 +468,14 @@ public class TestOpenSSLCipherConfigurat @Test public void test3DES() throws Exception { - testSpecification("3DES"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("3DES:3DES+aNULL:3DES+aRSA"); + } else { + testSpecification("3DES"); + } } @@ -363,7 +487,12 @@ public class TestOpenSSLCipherConfigurat @Test public void testRC4() throws Exception { - testSpecification("RC4"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + testSpecification("RC4:RC4+aNULL:RC4+aRSA"); + } else { + testSpecification("RC4"); + } } @@ -393,13 +522,27 @@ public class TestOpenSSLCipherConfigurat @Test public void testSHA1() throws Exception { - testSpecification("SHA1"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("SHA1:SHA1+aNULL:SHA1+aRSA"); + } else { + testSpecification("SHA1"); + } } @Test public void testSHA() throws Exception { - testSpecification("SHA"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA as an EC alias isn't available) + testSpecification("SHA:SHA+aNULL:SHA+aRSA"); + } else { + testSpecification("SHA"); + } } @@ -470,24 +613,37 @@ public class TestOpenSSLCipherConfigurat // Tomcat 8 default as of 2014-08-04 // This gets an A- from https://www.ssllabs.com/ssltest with no FS for // a number of the reference browsers - testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA:kECDHr as an EC alias isn't available) + testSpecification("HIGH:aRSA:kECDHr:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"); + } else { + testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"); + } } @Test public void testSpecification02() throws Exception { // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/ - testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:MEDIUM"); + if (TesterOpenSSL.VERSION < 10000) { + // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled + // (using aRSA:kECDHr as an EC alias isn't available) + } else { + testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM"); + } } @Test public void testSpecification03() throws Exception { // Reported as failing during 8.0.11 release vote by Ognjen Blagojevic - testSpecification("EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"); + // EDH was introduced in 1.0.0 + if (TesterOpenSSL.VERSION >= 10000) { + testSpecification("EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"); + } } - private void testSpecification(String specification) throws Exception { // Filter out cipher suites that OpenSSL does not implement String openSSLCipherList = TesterOpenSSL.getOpenSSLCiphersAsExpression(specification); Modified: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java?rev=1695263&r1=1695262&r2=1695263&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java Tue Aug 11 11:15:39 2015 @@ -63,15 +63,7 @@ public class TesterOpenSSL { // Note: The following lists are intended to be aligned with the most // recent release of each OpenSSL release branch - // TODO Validate this for all current OpenSSL versions - // 0.9.8 - TODO - // 1.0.0 - TODO - // 1.0.1 - Done - // 1.0.2 - Done - // 1.1.0 - Done - - // These were removed in 0.9.8 (or earlier) so won't be available in any - // supported version. + // These have been removed from all supported versions. unimplemented.add(Cipher.TLS_DHE_DSS_WITH_RC4_128_SHA); unimplemented.add(Cipher.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA); unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA); @@ -83,35 +75,84 @@ public class TesterOpenSSL { if (VERSION < 10000) { // These were implemented in 1.0.0 so won't be available in any // earlier version + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_NULL_SHA); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA); + unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA); + unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA); + unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA); + unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); + unimplemented.add(Cipher.TLS_PSK_WITH_AES_128_CBC_SHA); + unimplemented.add(Cipher.TLS_PSK_WITH_AES_256_CBC_SHA); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_SEED_CBC_SHA); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_SEED_CBC_SHA); + unimplemented.add(Cipher.TLS_DH_anon_WITH_SEED_CBC_SHA); + unimplemented.add(Cipher.TLS_RSA_WITH_SEED_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_RC4_128_SHA); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_NULL_SHA); + unimplemented.add(Cipher.TLS_PSK_WITH_RC4_128_SHA); + unimplemented.add(Cipher.TLS_PSK_WITH_3DES_EDE_CBC_SHA); } else { // These were removed in 1.0.0 so won't be available from that // version onwards. + // None at present. } if (VERSION < 10001) { // These were added in 1.0.1 so won't be available in any earlier // version - unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256); - unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256); - unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256); - unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256); - unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384); - unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384); - unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384); - unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256); - unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384); - unimplemented.add(Cipher.TLS_PSK_WITH_AES_128_GCM_SHA256); - unimplemented.add(Cipher.TLS_PSK_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_WITH_AES_128_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_WITH_AES_256_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA); + unimplemented.add(Cipher.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA); + unimplemented.add(Cipher.TLS_RSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256); + unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_256_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_RSA_WITH_AES_128_GCM_SHA256); + unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384); + unimplemented.add(Cipher.TLS_RSA_WITH_AES_256_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_RSA_WITH_AES_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_RSA_WITH_NULL_SHA256); } else { // These were removed in 1.0.1 so won't be available from that // version onwards. @@ -268,7 +309,11 @@ public class TesterOpenSSL { if (specification == null) { stdout = executeOpenSSLCommand("ciphers", "-v"); } else { - stdout = executeOpenSSLCommand("ciphers", "-v", specification); + if (VERSION < 10000) { + stdout = executeOpenSSLCommand("ciphers", "-v", specification); + } else { + stdout = executeOpenSSLCommand("ciphers", "-v", specification); + } } if (stdout.length() == 0) { --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org