Re: Unit Test TestOpenSSLCipherConfigurationParser fails for OpenSSL 3.1.0-alpha1

Mon, 05 Dec 2022 07:03:30 -0800 

Thank you Mark!

Am 05.12.22 um 16:01 schrieb Mark Thomas:

Fixed.
The changes are in the current OpenSSL main development branch which (currently) is configured to be 3.2.x. 

Mark


On 05/12/2022 11:16, Rainer Jung wrote:

Hi there,
the following tests fail for me when using tcnative 2.0.2 build against OpenSSL 3.1.0-alpha1: 

testHIGH: Expected 127 ciphers but got 137 for the specification 'HIGH'

testMEDIUM: Expected 10 ciphers but got 0 for the specification 'MEDIUM'
testSpecification01: Expected 115 ciphers but got 125 for the specification 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5'
In all three cases the reason seems to be, that the following ciphers have moved from MEDIUM to HIGH: 

TLS_DHE_RSA_WITH_AES_128_CCM_8
TLS_DHE_RSA_WITH_AES_256_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
TLS_PSK_DHE_WITH_AES_128_CCM_8
TLS_PSK_DHE_WITH_AES_256_CCM_8
TLS_PSK_WITH_AES_128_CCM_8
TLS_PSK_WITH_AES_256_CCM_8
TLS_RSA_WITH_AES_128_CCM_8
TLS_RSA_WITH_AES_256_CCM_8

I could verify this by running:

/path/to/openssl301/bin/openssl ciphers -v HIGH|grep 'CCM8'|sort
AES128-CCM8                    TLSv1.2 Kx=RSA      Au=RSA Enc=AESCCM8(128)           Mac=AEAD AES256-CCM8                    TLSv1.2 Kx=RSA      Au=RSA Enc=AESCCM8(256)           Mac=AEAD DHE-PSK-AES128-CCM8            TLSv1.2 Kx=DHEPSK   Au=PSK Enc=AESCCM8(128)           Mac=AEAD DHE-PSK-AES256-CCM8            TLSv1.2 Kx=DHEPSK   Au=PSK Enc=AESCCM8(256)           Mac=AEAD DHE-RSA-AES128-CCM8            TLSv1.2 Kx=DH       Au=RSA Enc=AESCCM8(128)           Mac=AEAD DHE-RSA-AES256-CCM8            TLSv1.2 Kx=DH       Au=RSA Enc=AESCCM8(256)           Mac=AEAD ECDHE-ECDSA-AES128-CCM8        TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128)           Mac=AEAD ECDHE-ECDSA-AES256-CCM8        TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256)           Mac=AEAD PSK-AES128-CCM8                TLSv1.2 Kx=PSK      Au=PSK Enc=AESCCM8(128)           Mac=AEAD PSK-AES256-CCM8                TLSv1.2 Kx=PSK      Au=PSK Enc=AESCCM8(256)           Mac=AEAD 

It seems these are the same ciphers that changed from MEDIUM to high.

Our change lowering those ciphers to MEDIUM in our code was

https://github.com/apache/tomcat/commit/4e20c36e399a61ad173f850fcb7acc863ea4b076

which seems to have been triggered by the OpenSSL changes

https://github.com/openssl/openssl/commit/1a473d1cc67e04ae9fea517b36dc332143250cf5

https://github.com/openssl/openssl/commit/56ffcce492ffc6f36b2f0d9431e23febe054dd04

https://github.com/openssl/openssl/commit/e07102220afe4059bc45aa3d7073b7678329e26e
But these changes on the OpenSSL main branch are not part of the 3.1 branch. 

Best regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to