(tomcat) branch main updated: OpenSSLConf is not supported by BoringSSL

remm Mon, 07 Oct 2024 04:06:00 -0700

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/main by this push:
     new 8af10eb85f OpenSSLConf is not supported by BoringSSL
8af10eb85f is described below

commit 8af10eb85f311a58de5ce68317d40211d62095bf
Author: remm <r...@apache.org>
AuthorDate: Mon Oct 7 13:05:10 2024 +0200

    OpenSSLConf is not supported by BoringSSL
---
 .../util/net/openssl/panama/LocalStrings.properties  |  1 +
 .../util/net/openssl/panama/OpenSSLContext.java      | 20 ++++++++++++--------
 webapps/docs/changelog.xml                           |  3 +++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git 
a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties 
b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index dc6294ff28..7cc6531ec7 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -83,6 +83,7 @@ opensslconf.finishFailed=OpenSSLConf finish failed with 
result [{0}]
 opensslconf.noCommandName=OpenSSLConf no command name - will be ignored 
(command value [{0}])
 opensslconf.resultCommand=OpenSSLConf command (name [{0}], value [{1}]) 
returned [{2}]
 opensslconf.unknownCommandType=SSL_CONF command [{0}] type unknown
+opensslconf.unsupported=The OpenSSL implementation does not support OpenSSLConf
 
 openssllibrary.ciphersFailure=Failed getting cipher list
 openssllibrary.currentFIPSMode=Current FIPS mode: [{0}]
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 29d017f496..1823fd99e9 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -174,14 +174,18 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 if (log.isTraceEnabled()) {
                     log.trace(sm.getString("openssl.makeConf"));
                 }
-                confCtx = SSL_CONF_CTX_new();
-                if (MemorySegment.NULL.equals(confCtx)) {
-                    throw new SSLException(sm.getString("openssl.errMakeConf", 
OpenSSLLibrary.getLastError()));
+                if (!openssl_h_Compatibility.BORINGSSL) {
+                    confCtx = SSL_CONF_CTX_new();
+                    if (MemorySegment.NULL.equals(confCtx)) {
+                        throw new 
SSLException(sm.getString("openssl.errMakeConf", 
OpenSSLLibrary.getLastError()));
+                    }
+                    SSL_CONF_CTX_set_flags(confCtx, SSL_CONF_FLAG_FILE() |
+                            SSL_CONF_FLAG_SERVER() |
+                            SSL_CONF_FLAG_CERTIFICATE() |
+                            SSL_CONF_FLAG_SHOW_ERRORS());
+                } else {
+                    log.error(sm.getString("opensslconf.unsupported"));
                 }
-                SSL_CONF_CTX_set_flags(confCtx, SSL_CONF_FLAG_FILE() |
-                        SSL_CONF_FLAG_SERVER() |
-                        SSL_CONF_FLAG_CERTIFICATE() |
-                        SSL_CONF_FLAG_SHOW_ERRORS());
             }
 
             // SSL protocol
@@ -1396,7 +1400,7 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 this.confCtx = 
confCtx.reinterpret(ValueLayout.ADDRESS.byteSize(), stateArena,
                         (MemorySegment t) -> SSL_CONF_CTX_free(t));
             } else {
-                this.confCtx = null;
+                this.confCtx = MemorySegment.NULL;
             }
         }
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3889e502db..e84918a8e5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -152,6 +152,9 @@
         Return null SSL session id on zero length byte array returned from the
         SSL implementation. (remm)
       </fix>
+      <fix>
+        Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch main updated: OpenSSLConf is not supported by BoringSSL

Reply via email to