This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 73d5bfa8bf Update future code
73d5bfa8bf is described below
commit 73d5bfa8bf7217fdba76c2798bd3143d6518c263
Author: remm <[email protected]>
AuthorDate: Fri Oct 6 10:14:45 2023 +0200
Update future code
The idea is to resolve profiles when Java 22 is available.
---
java/org/apache/tomcat/util/net/SSLUtilBase.java | 6 +++---
.../ciphers/OpenSSLCipherConfigurationParser.java | 22 ++++++++++++++++------
2 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index fb8c5558e1..91c2929baa 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -121,9 +121,9 @@ public abstract class SSLUtilBase implements SSLUtil {
sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
// Calculate the enabled ciphers
- if (sslHostConfig.getCiphers().startsWith("PROFILE=")) {
- // OpenSSL profiles
- // TODO: sslHostConfig can query that with Panama, but skip for now
+ if (/*!JreCompat.isJre22Available() &&
*/sslHostConfig.getCiphers().startsWith("PROFILE=")) {
+ // OpenSSL profiles cannot be resolved without Java 22
+ // TODO: sslHostConfig should query that with Panama if possible
this.enabledCiphers = new String[0];
} else {
boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 90d0eaca7e..2599bf24c2 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -715,12 +715,22 @@ public class OpenSSLCipherConfigurationParser {
// Handle PROFILE= using OpenSSL (if present, otherwise warn), then
replace elements with that
if (elements.length == 1 && elements[0].startsWith("PROFILE=")) {
// Only use with Panama and if OpenSSL has been successfully
loaded before
- /* FIXME: Merge OpenSSL code first
- if (JreCompat.isJre22Available() &&
OpenSSLStatus.isLibraryInitialized()) {
- List<String> cipherList =
OpenSSLLibrary.findCiphers(elements[0]);
- // Replace the original list with the profile contents
- elements = cipherList.toArray(new String[0]);
- }*/
+ /* FIXME: Merge OpenSSL Panama code
+ if (JreCompat.isJre22Available()) {
+ if (OpenSSLStatus.isLibraryInitialized()) {
+ List<String> cipherList =
OpenSSLLibrary.findCiphers(elements[0]);
+ // Replace the original list with the profile contents
+ elements = cipherList.toArray(new String[0]);
+ } else {
+ // OpenSSL is not available
+
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]));
+ }
+ } else {
+ // No way to resolve using OpenSSL, log an info about this
+ // but it might still work if using tomcat-native
+
log.info(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]));
+ }
+ */
}
LinkedHashSet<Cipher> ciphers = new LinkedHashSet<>();
Set<Cipher> removedCiphers = new HashSet<>();
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
