Author: markt
Date: Wed Mar 2 22:04:52 2016
New Revision: 1733378
URL: http://svn.apache.org/viewvc?rev=1733378&view=rev
Log:
kECDHE and ECDHE are now supported.
Fix ordering for newer ciphers only in OpenSSL master
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1733378&r1=1733377&r2=1733378&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
Wed Mar 2 22:04:52 2016
@@ -426,8 +426,12 @@ public class OpenSSLCipherConfigurationP
addListAlias(kECDHe, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.ECDHe)));
addListAlias(kECDH, filterByKeyExchange(allCiphers, new
HashSet<>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr))));
addListAlias(ECDH, filterByKeyExchange(allCiphers, new
HashSet<>(Arrays.asList(KeyExchange.ECDHe, KeyExchange.ECDHr,
KeyExchange.EECDH))));
- addListAlias(kECDHE, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.ECDHe)));
- aliases.put(ECDHE, aliases.get(kECDHE));
+ addListAlias(kECDHE, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.EECDH)));
+
+ Set<Cipher> ecdhe = filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.EECDH));
+ remove(ecdhe, aNULL);
+ addListAlias(ECDHE, ecdhe);
+
addListAlias(kEECDH, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.EECDH)));
aliases.put(EECDHE, aliases.get(kEECDH));
Set<Cipher> eecdh = filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.EECDH));
@@ -526,7 +530,7 @@ public class OpenSSLCipherConfigurationP
ciphers.addAll(aliases.get(alias));
}
- static void remove(final LinkedHashSet<Cipher> ciphers, final String
alias) {
+ static void remove(final Set<Cipher> ciphers, final String alias) {
ciphers.removeAll(aliases.get(alias));
}
@@ -550,6 +554,10 @@ public class OpenSSLCipherConfigurationP
return result;
}
+ /*
+ * See
+ *
https://github.com/openssl/openssl/blob/7c96dbcdab959fef74c4caae63cdebaa354ab252/ssl/ssl_ciph.c#L1371
+ */
static LinkedHashSet<Cipher> defaultSort(final LinkedHashSet<Cipher>
ciphers) {
final LinkedHashSet<Cipher> result = new
LinkedHashSet<>(ciphers.size());
/* Now arrange all ciphers by preference: */
@@ -557,16 +565,14 @@ public class OpenSSLCipherConfigurationP
/* Everything else being equal, prefer ephemeral ECDH over other key
exchange mechanisms */
result.addAll(filterByKeyExchange(ciphers,
Collections.singleton(KeyExchange.EECDH)));
/* AES is our preferred symmetric cipher */
- moveToStart(result, filterByEncryption(result, new
HashSet<>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM,
- Encryption.AES256, Encryption.AES256GCM))));
- result.addAll(filterByEncryption(ciphers, new
HashSet<>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM,
- Encryption.AES256, Encryption.AES256GCM))));
+ Set<Encryption> aes = new HashSet<>(Arrays.asList(Encryption.AES128,
Encryption.AES128CCM,
+ Encryption.AES128CCM8, Encryption.AES128GCM, Encryption.AES256,
+ Encryption.AES256CCM, Encryption.AES256CCM8,
Encryption.AES256GCM));
+ moveToStart(result, filterByEncryption(result, aes));
+ result.addAll(filterByEncryption(ciphers, aes));
/* Temporarily enable everything else for sorting */
result.addAll(ciphers);
- /* Low priority for SSLv2 */
- moveToEnd(result, filterByProtocol(result,
Collections.singleton(Protocol.SSLv2)));
-
/* Low priority for MD5 */
moveToEnd(result, filterByMessageDigest(result,
Collections.singleton(MessageDigest.MD5)));
@@ -579,7 +585,7 @@ public class OpenSSLCipherConfigurationP
moveToEnd(result, filterByAuthentication(result,
Collections.singleton(Authentication.ECDH)));
moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.RSA)));
moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.PSK)));
- moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.KRB5)));
+
/* RC4 is sort-of broken -- move the the end */
moveToEnd(result, filterByEncryption(result,
Collections.singleton(Encryption.RC4)));
return strengthSort(result);
@@ -714,13 +720,22 @@ public class OpenSSLCipherConfigurationP
return convertForJSSE(parse(expression));
}
- public static String jsseToOpenSSL(String cipher) {
+
+ /**
+ * Converts a JSSE cipher name to an OpenSSL cipher name.
+ *
+ * @param jsseCipherName The JSSE name for a cipher
+ *
+ * @return The OpenSSL name for the specified JSSE cipher
+ */
+ public static String jsseToOpenSSL(String jsseCipherName) {
if (!initialized) {
init();
}
- return jsseToOpenSSL.get(cipher);
+ return jsseToOpenSSL.get(jsseCipherName);
}
+
static String displayResult(Collection<Cipher> ciphers, boolean
useJSSEFormat, String separator) {
if (ciphers.isEmpty()) {
return "";
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1733378&r1=1733377&r2=1733378&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
Wed Mar 2 22:04:52 2016
@@ -281,14 +281,12 @@ public class TestOpenSSLCipherConfigurat
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise kECDHE")
public void testkECDHE() throws Exception {
testSpecification("kECDHE");
}
@Test
- @Ignore("Contrary to the docs, OpenSSL does not recognise ECDHE")
public void testECDHE() throws Exception {
testSpecification("ECDHE");
}
@@ -660,9 +658,9 @@ public class TestOpenSSLCipherConfigurat
TesterOpenSSL.removeUnimplementedCiphersJsse(jsseCipherListFromParser);
- // First check the lists have the same entries
- Assert.assertEquals(jsseCipherListFromOpenSSL.size(),
jsseCipherListFromParser.size());
-
Assert.assertTrue(jsseCipherListFromOpenSSL.containsAll(jsseCipherListFromParser));
+ // Check the lists have the same entries in the same order
+ Assert.assertEquals(jsseCipherListFromOpenSSL.toString(),
+ jsseCipherListFromParser.toString());
// OpenSSL treats many ciphers as having equal preference. The order
// returned depends on the order they are requested. The following code
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1733378&r1=1733377&r2=1733378&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Wed Mar 2 22:04:52 2016
@@ -149,6 +149,10 @@
shutdown if the Poller experiences an error during the shutdown
process.
(markt)
</fix>
+ <fix>
+ Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code>
with
+ the current OpenSSL implementation. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
