Please let's not use the term Panama anymore, it is like with Jigsaw. They were working titles, official name is Java FFM API. Even JEP 442 does not mention this term anymore.
On 2023/10/06 08:15:09 r...@apache.org wrote: > This is an automated email from the ASF dual-hosted git repository. > > remm pushed a commit to branch main > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/main by this push: > new 73d5bfa8bf Update future code > 73d5bfa8bf is described below > > commit 73d5bfa8bf7217fdba76c2798bd3143d6518c263 > Author: remm <r...@apache.org> > AuthorDate: Fri Oct 6 10:14:45 2023 +0200 > > Update future code > > The idea is to resolve profiles when Java 22 is available. > --- > java/org/apache/tomcat/util/net/SSLUtilBase.java | 6 +++--- > .../ciphers/OpenSSLCipherConfigurationParser.java | 22 > ++++++++++++++++------ > 2 files changed, 19 insertions(+), 9 deletions(-) > > diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java > b/java/org/apache/tomcat/util/net/SSLUtilBase.java > index fb8c5558e1..91c2929baa 100644 > --- a/java/org/apache/tomcat/util/net/SSLUtilBase.java > +++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java > @@ -121,9 +121,9 @@ public abstract class SSLUtilBase implements SSLUtil { > > sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable()); > > // Calculate the enabled ciphers > - if (sslHostConfig.getCiphers().startsWith("PROFILE=")) { > - // OpenSSL profiles > - // TODO: sslHostConfig can query that with Panama, but skip for > now > + if (/*!JreCompat.isJre22Available() && > */sslHostConfig.getCiphers().startsWith("PROFILE=")) { > + // OpenSSL profiles cannot be resolved without Java 22 > + // TODO: sslHostConfig should query that with Panama if possible > this.enabledCiphers = new String[0]; > } else { > boolean warnOnSkip = > !sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS); > diff --git > a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java > > b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java > index 90d0eaca7e..2599bf24c2 100644 > --- > a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java > +++ > b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java > @@ -715,12 +715,22 @@ public class OpenSSLCipherConfigurationParser { > // Handle PROFILE= using OpenSSL (if present, otherwise warn), then > replace elements with that > if (elements.length == 1 && elements[0].startsWith("PROFILE=")) { > // Only use with Panama and if OpenSSL has been successfully > loaded before > - /* FIXME: Merge OpenSSL code first > - if (JreCompat.isJre22Available() && > OpenSSLStatus.isLibraryInitialized()) { > - List<String> cipherList = > OpenSSLLibrary.findCiphers(elements[0]); > - // Replace the original list with the profile contents > - elements = cipherList.toArray(new String[0]); > - }*/ > + /* FIXME: Merge OpenSSL Panama code > + if (JreCompat.isJre22Available()) { > + if (OpenSSLStatus.isLibraryInitialized()) { > + List<String> cipherList = > OpenSSLLibrary.findCiphers(elements[0]); > + // Replace the original list with the profile contents > + elements = cipherList.toArray(new String[0]); > + } else { > + // OpenSSL is not available > + > log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile", > elements[0])); > + } > + } else { > + // No way to resolve using OpenSSL, log an info about this > + // but it might still work if using tomcat-native > + > log.info(sm.getString("opensslCipherConfigurationParser.unknownProfile", > elements[0])); > + } > + */ > } > LinkedHashSet<Cipher> ciphers = new LinkedHashSet<>(); > Set<Cipher> removedCiphers = new HashSet<>(); > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
