(tomcat) 03/03: Fix BZ 67628 - Improve description of ciphers

Wed, 01 Nov 2023 13:15:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 790b5eecaa18e4d636de69c8045e44acaff262ea
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 1 20:13:31 2023 +0000

    Fix BZ 67628 - Improve description of ciphers
    
    Also improve associated log message
---
 java/org/apache/tomcat/util/net/LocalStrings.properties  |  2 +-
 .../apache/tomcat/util/net/LocalStrings_ja.properties    |  1 -
 .../apache/tomcat/util/net/LocalStrings_ko.properties    |  1 -
 webapps/docs/changelog.xml                               |  4 ++++
 webapps/docs/config/http.xml                             | 16 ++++++++++++----
 5 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index d8e0d6ea29..a0b212fc22 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -182,7 +182,7 @@ sslUtilBase.noCrlSupport=The truststoreProvider [{0}] does 
not support the certi
 sslUtilBase.noKeys=No aliases for private keys found in key store
 sslUtilBase.noVerificationDepth=The truststoreProvider [{0}] does not support 
the certificateVerificationDepth configuration option
 sslUtilBase.noneSupported=None of the [{0}] specified are supported by the SSL 
engine : [{1}]
-sslUtilBase.skipped=Some of the specified [{0}] are not supported by the SSL 
engine and have been skipped: [{1}]
+sslUtilBase.skipped=Tomcat interprets the [{0}] attribute in a manner 
consistent with the latest OpenSSL development branch. Some of the specified 
[{0}] are not supported by the configured SSL engine for this connector (which 
may use JSSE or an older OpenSSL version) and have been skipped: [{1}]
 sslUtilBase.ssl3=SSLv3 has been explicitly enabled. This protocol is known to 
be insecure.
 sslUtilBase.tls13.auth=The JSSE TLS 1.3 implementation does not support post 
handshake authentication (PHA) and is therefore incompatible with optional 
certificate authentication
 sslUtilBase.trustedCertNotChecked=The validity dates of the trusted 
certificate with alias [{0}] were not checked as the certificate was of an 
unknown type
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties 
b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
index e0c9ece8a4..e2e86be619 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ja.properties
@@ -178,7 +178,6 @@ sslUtilBase.noCrlSupport=トラストストアプロバイダー [{0}] は設定
 sslUtilBase.noKeys=キーストアで見つかった秘密キーのエイリアスがありません。
 sslUtilBase.noVerificationDepth=トラストストアプロバイダー [{0}] は設定項目 
certificateVerificationDepth に未対応です。
 sslUtilBase.noneSupported=指定された [{0}] のどれもSSLエンジンでサポートされていません: [{1}]
-sslUtilBase.skipped=指定された [{0}] の一部はSSLエンジンでサポートされておらず、スキップされています: [{1}]
 sslUtilBase.ssl3=SSLv3 が明示的に有効化化されています。このプロトコルは安全ではありません。
 sslUtilBase.tls13.auth=JSSE TLS 
1.3実装は、初期ハンドシェイク後の認証をサポートしていないため、オプションのクライアント認証と互換性がありません。
 sslUtilBase.trustedCertNotChecked=エイリアス [{0}] 
を持つ信頼できる証明書の有効期限は、証明書が不明な型であるためチェックされませんでした
diff --git a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties 
b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
index efa977a34d..146f831044 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings_ko.properties
@@ -173,7 +173,6 @@ sslUtilBase.noCrlSupport=truststoreProvider [{0}]은(는) 
certificateRevocationF
 sslUtilBase.noKeys=개인 키들에 대한 별칭들이 키 저장소에 없습니다.
 sslUtilBase.noVerificationDepth=truststoreProvider [{0}]은(는) 
certificateVerificationDepth 설정 옵션을 지원하지 않습니다.
 sslUtilBase.noneSupported=지정된 [{0}]의 어느 것도 SSL 엔진에 의해 지원되지 않습니다: [{1}]
-sslUtilBase.skipped=지정된 [{0}]의 일부가 SSL 엔진에 의해 지원되지 않아 건너뜁니다: [{1}]
 sslUtilBase.ssl3=SSLv3이 명시적으로 사용 가능 상태로 설정되었습니다. 이 프로토콜은 안전하지 않은 것으로 알려져 있습니다.
 sslUtilBase.tls13.auth=JSSE TLS 1.3 구현이 초기 handshake 이후의 인증을 지원하지 않음에 따라, 
선택사항인 클라이언트 인증과 호환되지 않습니다.
 sslUtilBase.trustedCertNotChecked=인증서가 알 수 없는 타입이라서, 별칭이 [{0}]인 신뢰되는 인증서의 
유효일자들이 점검되지 않았습니다.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c7e9a0e77a..04453572ee 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -145,6 +145,10 @@
         automatically call
         <code>setCertificateKeystoreType(ks.getType())</code>. (markt)
       </add>
+      <fix>
+        <bug>67628</bug>: Clarify how the <code>ciphers</code> attribute of the
+        <code>SSLHostConfig</code> is used. (markt)
+      </fix>
       <fix>
         <bug>67666</bug>: Ensure TLS connectors using PEM files either work 
with
         the <code>TLSCertificateReloadListener</code> or, in the rare case that
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index bc76a13f8c..8372bc2648 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1328,11 +1328,19 @@
       documentation for the list of ciphers supported and the syntax).
       Alternatively, a comma separated list of ciphers using the standard
       OpenSSL cipher names or the standard JSSE cipher names may be used.</p>
-      <p>When converting from OpenSSL syntax to JSSE ciphers for JSSE based
-      connectors, the behaviour of the OpenSSL syntax parsing is kept aligned
-      with the behaviour of the OpenSSL 1.1.0 development branch.</p>
+      <p>Different versions of OpenSSL may interpret the same cipher string
+      differently. For example, the <code>CCM8</code> ciphers were moved from
+      <code>HIGH</code> to <code>MEDIUM</code> in OpenSSL 3.2. Regardless of
+      the OpenSSL or JSSE version used, Tomcat converts the provided cipher
+      value to a list of ciphers in a manner consistent with the latest OpenSSL
+      development branch. This list of ciphers is then passed to the SSL
+      implementation.</p>
       <p>Only the ciphers that are supported by the SSL implementation will be
-      used.</p>
+      used. Any ciphers in the list derived from a non-default cipher string
+      that are not supported by the SSL implementation will be logged in a
+      <code>WARNING</code> message when the Connector starts. The warning can 
be
+      avoided by providing an explicit list of ciphers that are supported by 
the
+      configured SSL implementation.</p>
       <p>If not specified, a default (using the OpenSSL notation) of
       <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be
       used.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to