-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 11/5/18 17:32, Mark Thomas wrote: > On 05/11/2018 19:48, Christopher Schultz wrote: >> On 11/5/18 13:05, Rainer Jung wrote: >>> Am 05.11.2018 um 18:44 schrieb Christopher Schultz: > > <snip/> > >>>> What am I missing, here? >> >>> Try setting test.openssl.path in build.properties to the full >>> path to the openssl binary (.../bin/openssl). >> >>> See r1614560 and r1614587. >> >> Aha! That was it! >> >> I was confused because I was thinking that the version was being >> properly-detected by Tomcat. But the tests were using the >> "openssl ciphers" command to pull the lists of ciphers instead of >> doing it using JNI. >> >> Would it be worth it to use JNI to pull-back the list of >> supported ciphers instead of running an external command? > > The purpose of the tests is to ensure that the Tomcat code that > replicates OpenSSL's cipher selection behaves the same way as the > latest OpenSSL code. I don't see that it matters whether we > determine the OpenSSL behaviour via an external command or JNI. > > The upside is more consistent tests and one less build parameter > to configure. It also reduces potential confusion and unexpected failure. I didn't realize that the unit tests were launching "openssl" using the default shell PATH (which in my case obviously was running libressl's utility), and so there was confusion between the JVM's view of the world (through java.library.path) and Process.exec()'s view of the world (through $PATH). That may be splitting hairs mentioning that effect, but it's quite a thick piece of hair IMO. > The downside is APR/native becomes required for those tests. > Running those tests for all three connectors is fairly pointless so > only running them with APR might be an upside. > > I haven't checked to see if the API we'd need to use is accessible > via the current JNI API or whether we'd need to extend it. > > Is it worth it? For me this in the the category of it looks to be > a worthwhile itch to scratch if someone wants to scratch it. I'll have a look at what is available and what must be available in order to support it. On the up-side, the source code for the "ciphers" command[1] is mercifully short and easy to understand. - -chris [1] https://github.com/openssl/openssl/blob/master/apps/ciphers.c -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvhneoACgkQHPApP6U8 pFgBPQ//a3u1Dnl+aN7ZcHb+ziWlT31llONXr47CNj3CUXKjpDXxqcIq9LE8jJTV rZ3IG/A5HXj5ZpiOpivgIb/95X1whNKtzStoNqNkveZLL1s4PmIgP/4sKQG0NtKc qaqCul43Rrbss9Cd8n3ZEg056ACMTHL/h/5z5FWoJ3WABNJ5X9WMCTfayZWZq3pG OoYh1wsKPAxDPmzhl/yPqXU7eWmuWFQGfkHx23By6Yi2EbXSZXyzAFc2RTQd6RfU /C17R+Opo/2iCBjI/M4qCzyQPmP/IEOQzVZMPW1XZ439vp/jlPA912jCAmKiJpZD JCt+y6RTsqSVczYxsC/5WU467WcJRqJRG8pM3cXFeGZbUL+J7Fv3x3b+cJtwX2E4 zZbM3fNlJ8SQ3AuXvCKGMtthM9djE6fqWtk33G7F9hZRIlB7Y3sFugUslmF7EbZA DkHeOHoDb/GAWUfOq0DqJQWJp8NjV7pmFINtHmeOv3K2H1B/+ylMUFV3LxX27oCz 5GCeS36RkqUpj4DFz7O2EEzecMdwvgluAxQHKuG4/VY5QG6xtfXVv7aIkls7n6CP qifgYypa1FUea6/++L8bjtFmSq1TfzyilCgLibttmvzkKQ7MoWHM2ih4E2BsnuzY Ci/7E0ZVwchvCuCzPHxy+Yu/Nd7T1CWPchRVDsRLLH9ifJrg4l0= =UYUZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
