This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new a56d2e0fbf Backport OpenSSL PROFILE= FFM processing
a56d2e0fbf is described below
commit a56d2e0fbf632e1ba4a09d652d242bfcba00a74e
Author: remm <r...@apache.org>
AuthorDate: Fri Mar 21 10:04:57 2025 +0100
Backport OpenSSL PROFILE= FFM processing
Fix Panama reflection call.
A few typos as well.
---
java/org/apache/tomcat/util/net/SSLUtilBase.java | 6 +--
.../ciphers/OpenSSLCipherConfigurationParser.java | 47 +++++++++++++++++-----
webapps/docs/changelog.xml | 4 ++
3 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index f2711f8655..7bbe960439 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -59,6 +59,7 @@ import javax.net.ssl.X509KeyManager;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
import org.apache.tomcat.util.net.jsse.PEMFile;
@@ -125,9 +126,8 @@ public abstract class SSLUtilBase implements SSLUtil {
sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
// Calculate the enabled ciphers
- if (sslHostConfig.getCiphers().startsWith("PROFILE=")) {
- // OpenSSL profiles
- // TODO: sslHostConfig can query that with Panama, but skip for now
+ if (!JreCompat.isJre22Available() &&
sslHostConfig.getCiphers().startsWith("PROFILE=")) {
+ // OpenSSL profiles cannot be resolved without Java 22
this.enabledCiphers = new String[0];
} else {
boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 4a329aec89..58a5d441f6 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -30,7 +30,10 @@ import java.util.Set;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.Constants;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -87,7 +90,7 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String HIGH = "HIGH";
/**
- * 'medium' encryption cipher suites, currently some of those using 128
bit encryption.
+ * 'medium' encryption cipher suites, currently some of those using
128-bit encryption.
*/
private static final String MEDIUM = "MEDIUM";
/**
@@ -170,7 +173,7 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String EECDH = "EECDH";
/**
- * Cipher suitesusing ECDH key exchange, including anonymous, ephemeral
and fixed ECDH.
+ * Cipher suites using ECDH key exchange, including anonymous, ephemeral
and fixed ECDH.
*/
private static final String ECDH = "ECDH";
/**
@@ -234,15 +237,15 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String ADH = "ADH";
/**
- * Cipher suites using 128 bit AES.
+ * Cipher suites using 128-bit AES.
*/
private static final String AES128 = "AES128";
/**
- * Cipher suites using 256 bit AES.
+ * Cipher suites using 256-bit AES.
*/
private static final String AES256 = "AES256";
/**
- * Cipher suites using either 128 or 256 bit AES.
+ * Cipher suites using either 128 or 256-bit AES.
*/
private static final String AES = "AES";
/**
@@ -347,7 +350,7 @@ public class OpenSSLCipherConfigurationParser {
*/
private static final String aGOST94 = "aGOST94";
/**
- * Cipher suites using using VKO 34.10 key exchange, specified in the RFC
4357.
+ * Cipher suites using VKO 34.10 key exchange, specified in the RFC 4357.
*/
private static final String kGOST = "kGOST";
/**
@@ -642,7 +645,7 @@ public class OpenSSLCipherConfigurationParser {
moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.RSA)));
moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.PSK)));
- /* RC4 is sort-of broken -- move the the end */
+ /* RC4 is sort-of broken -- move to the end */
moveToEnd(result, filterByEncryption(result,
Collections.singleton(Encryption.RC4)));
return strengthSort(result);
}
@@ -712,6 +715,32 @@ public class OpenSSLCipherConfigurationParser {
init();
}
String[] elements = expression.split(SEPARATOR);
+ // Handle PROFILE= using OpenSSL (if present, otherwise warn), then
replace elements with that
+ if (elements.length == 1 && elements[0].startsWith("PROFILE=")) {
+ // Only use with Java 22 and if OpenSSL has been successfully
loaded before
+ if (JreCompat.isJre22Available()) {
+ if (OpenSSLStatus.isLibraryInitialized()) {
+ try {
+ Class<?> openSSLLibraryClass =
Class.forName("org.apache.tomcat.util.net.openssl.panama.OpenSSLLibrary");
+ @SuppressWarnings("unchecked")
+ List<String> cipherList = (List<String>)
openSSLLibraryClass.getMethod("findCiphers", String.class).invoke(null,
elements[0]);
+ // Replace the original list with the profile contents
+ elements = cipherList.toArray(new String[0]);
+ } catch (Throwable t) {
+ Throwable throwable =
ExceptionUtils.unwrapInvocationTargetException(t);
+ ExceptionUtils.handleThrowable(throwable);
+
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]), throwable);
+ }
+ } else {
+ // OpenSSL is not available
+
log.error(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]));
+ }
+ } else {
+ // No way to resolve using OpenSSL, log an info about this,
+ // but it might still work if using tomcat-native
+
log.info(sm.getString("opensslCipherConfigurationParser.unknownProfile",
elements[0]));
+ }
+ }
LinkedHashSet<Cipher> ciphers = new LinkedHashSet<>();
Set<Cipher> removedCiphers = new HashSet<>();
for (String element : elements) {
@@ -835,9 +864,9 @@ public class OpenSSLCipherConfigurationParser {
}
public static void usage() {
- System.out.println("Usage: java " +
OpenSSLCipherConfigurationParser.class.getName() + " [options] cipherspec");
+ System.out.println("Usage: java " +
OpenSSLCipherConfigurationParser.class.getName() + " [options] cipher spec");
System.out.println();
- System.out.println("Displays the TLS cipher suites matching the
cipherspec.");
+ System.out.println("Displays the TLS cipher suites matching the cipher
spec.");
System.out.println();
System.out.println(" --help,");
System.out.println(" -h Print this help message");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f58a1e5437..dba99bd9b9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -156,6 +156,10 @@
<fix>
Improve handling of unexpected errors during HTTP/2 processing. (markt)
</fix>
+ <fix>
+ Add missing code to process an OpenSSL profile, such as
+ <code>PROFILE=SYSTEM</code>, using FFM. (remm)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
