Author: markt Date: Tue Feb 24 15:03:03 2015 New Revision: 1661972 URL: http://svn.apache.org/r1661972 Log: Fix ordering problem exposed now OpenSSL supports cipher suites with ephemeral ECDh with something other than AES
Added: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java (with props) Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1661972&r1=1661971&r2=1661972&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java Tue Feb 24 15:03:03 2015 @@ -488,6 +488,15 @@ public class OpenSSLCipherConfigurationP ciphers.addAll(movedCiphers); } + static void moveToStart(final LinkedHashSet<Cipher> ciphers, final Collection<Cipher> toBeMovedCiphers) { + List<Cipher> movedCiphers = new ArrayList<>(toBeMovedCiphers); + List<Cipher> originalCiphers = new ArrayList<>(ciphers); + movedCiphers.retainAll(ciphers); + ciphers.clear(); + ciphers.addAll(movedCiphers); + ciphers.addAll(originalCiphers); + } + static void add(final LinkedHashSet<Cipher> ciphers, final String alias) { ciphers.addAll(aliases.get(alias)); } @@ -523,6 +532,8 @@ public class OpenSSLCipherConfigurationP /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ result.addAll(filterByKeyExchange(ciphers, Collections.singleton(KeyExchange.EECDH))); /* AES is our preferred symmetric cipher */ + moveToStart(result, filterByEncryption(result, new HashSet<>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM, + Encryption.AES256, Encryption.AES256GCM)))); result.addAll(filterByEncryption(ciphers, new HashSet<>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM, Encryption.AES256, Encryption.AES256GCM)))); /* Temporarily enable everything else for sorting */ Added: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java?rev=1661972&view=auto ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java (added) +++ tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java Tue Feb 24 15:03:03 2015 @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.net.jsse.openssl; + +import java.util.LinkedHashSet; + +import org.junit.Assert; +import org.junit.Test; + + +/* + * The unit test is independent of OpenSSL version and does not require OpenSSL + * to be present. + */ +public class TestOpenSSLCipherConfigurationParserOnly { + + @Test + public void testDefaultSort01() throws Exception { + // Reproducing a failure observed on Gump with OpenSSL 1.1.x + + // Everything else being equal, AES is preferred + LinkedHashSet<Cipher> input = new LinkedHashSet<>(); + input.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384); + input.add(Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384); + input.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); + input.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + LinkedHashSet<Cipher> result = OpenSSLCipherConfigurationParser.defaultSort(input); + + LinkedHashSet<Cipher> expected = new LinkedHashSet<>(); + expected.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384); + expected.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + expected.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384); + expected.add(Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384); + + Assert.assertEquals(expected.toString(), result.toString()); + } + + @Test + public void testDefaultSort02() throws Exception { + // Reproducing a failure observed on Gump with OpenSSL 1.1.x + + // ECHDE beats AES + LinkedHashSet<Cipher> input = new LinkedHashSet<>(); + input.add(Cipher.TLS_RSA_WITH_AES_256_CBC_SHA); + input.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384); + LinkedHashSet<Cipher> result = OpenSSLCipherConfigurationParser.defaultSort(input); + + LinkedHashSet<Cipher> expected = new LinkedHashSet<>(); + expected.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384); + expected.add(Cipher.TLS_RSA_WITH_AES_256_CBC_SHA); + + Assert.assertEquals(expected.toString(), result.toString()); + } + +} Propchange: tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java ------------------------------------------------------------------------------ svn:eol-style = native --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org