Author: markt
Date: Thu Mar 3 11:07:26 2016
New Revision: 1733445
URL: http://svn.apache.org/viewvc?rev=1733445&view=rev
Log:
Simplify the tests by only supporting supported OpenSSL versions.
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1733445&r1=1733444&r2=1733445&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
Thu Mar 3 11:07:26 2016
@@ -26,63 +26,36 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testDEFAULT() throws Exception {
- // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old
- // behaviour
- // DES, RC2 and RC4 were removed from default in 1.1.0-dev
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA:!SSLv2:!eNULL as an EC alias isn't available)
-
testSpecification("DEFAULT:!EXPORT:aRSA:!SSLv2:!eNULL:!DES:!RC2:!RC4");
- } else if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("DEFAULT:!EXPORT:!DES:!RC2:!RC4");
+ // RC4 was removed from default in 1.1.0-dev
+ if (TesterOpenSSL.VERSION < 10100) {
+ testSpecification("DEFAULT:!RC4");
} else {
- testSpecification("DEFAULT:!EXPORT");
+ testSpecification("DEFAULT");
}
}
@Test
public void testCOMPLEMENTOFDEFAULT() throws Exception {
- // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old
- // behaviour
- // DES, RC2 and RC4 were removed from default in 1.1.0-dev
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL:DES:RC2:RC4");
- } else if (TesterOpenSSL.VERSION < 10100) {
- testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL:DES:RC2:RC4");
+ // NULL and RC4 were removed from default in 1.1.0-dev
+ if (TesterOpenSSL.VERSION < 10100) {
+ testSpecification("COMPLEMENTOFDEFAULT:RC4:aNULL");
} else {
- testSpecification("COMPLEMENTOFDEFAULT:EXPORT");
+ testSpecification("COMPLEMENTOFDEFAULT");
}
}
@Test
public void testALL() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled whereas
- // later versions include it.
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA:kECDHr as an EC alias isn't available)
- testSpecification("ALL:aNULL:aRSA:kECDHr");
- } else {
testSpecification("ALL");
}
- }
@Test
public void testCOMPLEMENTOFALL() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled whereas
- // later versions include it.
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA:kECDHr as an EC alias isn't available)
- testSpecification("COMPLEMENTOFALL:!aNULL:!aRSA:!kECDHr");
- } else {
testSpecification("COMPLEMENTOFALL");
}
- }
@Test
@@ -93,57 +66,20 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testeNULL() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("eNULL:eNULL+aNULL:eNULL+aRSA");
- } else {
testSpecification("eNULL");
}
- }
@Test
public void testHIGH() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 describes the following ciphers as HIGH whereas
- // later versions use MEDIUM
- // TLS_ECDH_anon_WITH_RC4_128_SHA (AECDH-RC4-SHA)
- // TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)
- // TLS_ECDH_RSA_WITH_RC4_128_SHA (ECDH-RSA-RC4-SHA)
- // TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA)
- // TLS_ECDH_RSA_WITH_NULL_SHA (ECDH-RSA-NULL-SHA)
- //
- // OpenSSL 0.9.8 describes TLS_ECDH_anon_WITH_NULL_SHA
- // (AECDH-NULL-SHA) as HIGH whereas later versions use STRONG_NONE
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("HIGH:HIGH+aNULL:HIGH+aRSA:" +
-
"!AECDH-RC4-SHA:!ECDHE-RSA-RC4-SHA:!ECDH-RSA-RC4-SHA:!ECDHE-RSA-NULL-SHA:!ECDH-RSA-NULL-SHA:"
+
- "!AECDH-NULL-SHA");
- } else {
testSpecification("HIGH");
}
- }
@Test
public void testMEDIUM() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 describes the following ciphers as HIGH whereas
- // later versions use MEDIUM
- // TLS_ECDH_anon_WITH_RC4_128_SHA (AECDH-RC4-SHA)
- // TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)
- // TLS_ECDH_RSA_WITH_RC4_128_SHA (ECDH-RSA-RC4-SHA)
- // TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA)
- // TLS_ECDH_RSA_WITH_NULL_SHA (ECDH-RSA-NULL-SHA)
-
testSpecification("MEDIUM:AECDH-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-NULL-SHA:ECDH-RSA-NULL-SHA");
- } else {
testSpecification("MEDIUM");
}
- }
@Test
@@ -172,13 +108,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testaRSA() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 treats kECDHr as aRSA
- testSpecification("aRSA:kECDHr");
- } else {
testSpecification("aRSA");
}
- }
@Test
@@ -204,11 +135,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testEDH() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("EDH");
}
- }
@Test
@@ -240,11 +168,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testkECDHr() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("kECDHr");
}
- }
@Test
@@ -255,29 +180,20 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testkECDH() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("kECDH");
}
- }
@Test
public void testkEECDH() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("kEECDH");
}
- }
@Test
public void testECDH() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("ECDH");
}
- }
@Test
@@ -301,11 +217,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testAECDH() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("AECDH");
}
- }
@Test
@@ -322,11 +235,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testaECDH() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("aECDH");
}
- }
@Test
@@ -373,15 +283,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testTLSv1() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("TLSv1:TLSv1+aNULL:TLSv1+aRSA");
- } else {
testSpecification("TLSv1");
}
- }
@Test
@@ -392,15 +295,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testSSLv3() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("SSLv3:SSLv3+aNULL:SSLv3+aRSA");
- } else {
testSpecification("SSLv3");
}
- }
@Test
@@ -417,33 +313,20 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testAES128() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("AES128");
}
- }
@Test
public void testAES256() throws Exception {
- // This alias was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("AES256");
}
- }
@Test
public void testAES() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("AES:AES+aNULL:AES+aRSA");
- } else {
testSpecification("AES");
}
- }
@Test
@@ -472,15 +355,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void test3DES() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("3DES:3DES+aNULL:3DES+aRSA");
- } else {
testSpecification("3DES");
}
- }
@Test
@@ -491,13 +367,8 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testRC4() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- testSpecification("RC4:RC4+aNULL:RC4+aRSA");
- } else {
testSpecification("RC4");
}
- }
@Test
@@ -526,28 +397,14 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testSHA1() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("SHA1:SHA1+aNULL:SHA1+aRSA");
- } else {
testSpecification("SHA1");
}
- }
@Test
public void testSHA() throws Exception {
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA as an EC alias isn't available)
- testSpecification("SHA:SHA+aNULL:SHA+aRSA");
- } else {
testSpecification("SHA");
}
- }
@Test
@@ -617,36 +474,23 @@ public class TestOpenSSLCipherConfigurat
// Tomcat 8 default as of 2014-08-04
// This gets an A- from https://www.ssllabs.com/ssltest with no FS for
// a number of the reference browsers
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA:kECDHr as an EC alias isn't available)
-
testSpecification("HIGH:aRSA:kECDHr:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
- } else {
testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
}
- }
@Test
public void testSpecification02() throws Exception {
// Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/
- if (TesterOpenSSL.VERSION < 10000) {
- // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
- // (using aRSA:kECDHr as an EC alias isn't available)
- } else {
testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM");
}
- }
@Test
public void testSpecification03() throws Exception {
// Reported as failing during 8.0.11 release vote by Ognjen Blagojevic
// EDH was introduced in 1.0.0
- if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS");
}
- }
private void testSpecification(String specification) throws Exception {
// Filter out cipher suites that OpenSSL does not implement
@@ -658,9 +502,10 @@ public class TestOpenSSLCipherConfigurat
TesterOpenSSL.removeUnimplementedCiphersJsse(jsseCipherListFromParser);
- // Check the lists have the same entries in the same order
- Assert.assertEquals(jsseCipherListFromOpenSSL.toString(),
- jsseCipherListFromParser.toString());
+ // First check the lists have the same entries
+ // Order is NOT important at this point. It is checked below.
+ Assert.assertEquals(jsseCipherListFromOpenSSL.size(),
jsseCipherListFromParser.size());
+
Assert.assertTrue(jsseCipherListFromOpenSSL.containsAll(jsseCipherListFromParser));
// OpenSSL treats many ciphers as having equal preference. The order
// returned depends on the order they are requested. The following code
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
