Author: rjung
Date: Thu Apr 12 04:38:45 2018
New Revision: 1828946
URL: http://svn.apache.org/viewvc?rev=1828946&view=rev
Log:
- add utility functions to TesterSupport to access
OpenSSL library availability and version number.
- use the new version number access to fix test
for OpenSSLConf for older version of OpenSSL
(before 1.1.1-pre3).
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1828946&r1=1828945&r2=1828946&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Thu Apr 12
04:38:45 2018
@@ -50,6 +50,9 @@ import org.apache.catalina.core.AprLifec
import org.apache.catalina.core.StandardServer;
import org.apache.catalina.startup.TesterMapRealm;
import org.apache.catalina.startup.Tomcat;
+import org.apache.tomcat.jni.Library;
+import org.apache.tomcat.jni.LibraryNotFoundError;
+import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
@@ -67,6 +70,8 @@ public final class TesterSupport {
public static final String JKS_KEY_PASS = "tomcatpass";
public static final String LOCALHOST_CERT_PEM = SSL_DIR +
"localhost-cert.pem";
public static final String LOCALHOST_KEY_PEM = SSL_DIR +
"localhost-key.pem";
+ public static final boolean OPENSSL_AVAILABLE;
+ public static final int OPENSSL_VERSION;
public static final String ROLE = "testrole";
@@ -74,6 +79,29 @@ public final class TesterSupport {
private static String lastUsage = "NONE";
private static Principal[] lastRequestedIssuers = new Principal[0];
+ static {
+ boolean available = false;
+ int version = 0;
+ try {
+ Library.initialize(null);
+ available = true;
+ version = SSL.version();
+ Library.terminate();
+ } catch (Exception | LibraryNotFoundError ex) {
+ // Ignore
+ }
+ OPENSSL_AVAILABLE = available;
+ OPENSSL_VERSION = version;
+ }
+
+ public static boolean isOpensslAvailable() {
+ return OPENSSL_AVAILABLE;
+ }
+
+ public static int getOpensslVersion() {
+ return OPENSSL_VERSION;
+ }
+
public static void initSsl(Tomcat tomcat) {
initSsl(tomcat, LOCALHOST_JKS, null, null);
}
Modified:
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java?rev=1828946&r1=1828945&r2=1828946&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java
(original)
+++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java
Thu Apr 12 04:38:45 2018
@@ -35,11 +35,20 @@ import org.apache.tomcat.util.net.Tester
public class TestOpenSSLConf extends TomcatBaseTest {
private static final String ENABLED_CIPHER = "AES256-SHA256";
- private static final String[] EXPECTED_CIPHERS = {"AES256-SHA256"};
+ private static final String[] EXPECTED_CIPHERS = {ENABLED_CIPHER};
private static final String[] ENABLED_PROTOCOLS = {"TLSv1.1"};
- private static final String[] DISABLED_PROTOCOLS = {"SSLv3", "TLSv1",
"TLSv1.2", "TLSv1.3"};
+ private static final String[] DISABLED_PROTOCOLS = {"SSLv3", "TLSv1",
"TLSv1.2"};
+ private static final String[] DISABLED_PROTOCOLS_TLS13 = {"TLSv1.3"};
+ // Test behavior needs to adjust for OpenSSL 1.1.1-pre3 and above
+ private static final int OPENSSL_TLS13_SUPPORT_MIN_VERSION = 0x10101003;
- public SSLHostConfig initOpenSSLConfCmdCipher(String... commands) throws
Exception {
+ private static int OPENSSL_VERSION = TesterSupport.getOpensslVersion();;
+
+ private static boolean hasTLS13() {
+ return OPENSSL_VERSION >= OPENSSL_TLS13_SUPPORT_MIN_VERSION;
+ }
+
+ public SSLHostConfig initOpenSSLConfCmd(String... commands) throws
Exception {
Assert.assertNotNull(commands);
Assert.assertTrue("Invalid length", commands.length % 2 == 0);
@@ -78,9 +87,15 @@ public class TestOpenSSLConf extends Tom
@Test
public void testOpenSSLConfCmdCipher() throws Exception {
- // Ensure TLSv1.3 ciphers aren't returned
- SSLHostConfig sslHostConfig = initOpenSSLConfCmdCipher("CipherString",
ENABLED_CIPHER,
- "CipherSuites", "");
+ log.info("Found OpenSSL version 0x" +
Integer.toHexString(OPENSSL_VERSION));
+ SSLHostConfig sslHostConfig;
+ if (hasTLS13()) {
+ // Ensure TLSv1.3 ciphers aren't returned
+ sslHostConfig = initOpenSSLConfCmd("CipherString", ENABLED_CIPHER,
+ "CipherSuites", "");
+ } else {
+ sslHostConfig = initOpenSSLConfCmd("CipherString", ENABLED_CIPHER);
+ }
String[] ciphers = sslHostConfig.getEnabledCiphers();
Assert.assertThat("Wrong HostConfig ciphers", ciphers,
CoreMatchers.is(EXPECTED_CIPHERS));
@@ -91,15 +106,23 @@ public class TestOpenSSLConf extends Tom
@Test
public void testOpenSSLConfCmdProtocol() throws Exception {
+ log.info("Found OpenSSL version 0x" +
Integer.toHexString(OPENSSL_VERSION));
Set<String> disabledProtocols = new
HashSet<>(Arrays.asList(DISABLED_PROTOCOLS));
StringBuilder sb = new StringBuilder();
for (String protocol : DISABLED_PROTOCOLS) {
sb.append(",").append("-").append(protocol);
}
+ if (hasTLS13()) {
+ // Also disable TLSv1.3
+ for (String protocol : DISABLED_PROTOCOLS_TLS13) {
+ sb.append(",").append("-").append(protocol);
+ disabledProtocols.add(protocol);
+ }
+ }
for (String protocol : ENABLED_PROTOCOLS) {
sb.append(",").append(protocol);
}
- SSLHostConfig sslHostConfig = initOpenSSLConfCmdCipher("Protocol",
sb.substring(1));
+ SSLHostConfig sslHostConfig = initOpenSSLConfCmd("Protocol",
sb.substring(1));
String[] protocols = sslHostConfig.getEnabledProtocols();
for (String protocol : protocols) {
Assert.assertFalse("Protocol " + protocol + " is not allowed",
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]