This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 0625e7ac1 TLS 1.3 requires a call to SSL_CTX_set_ciphersuites to
configure the permitted ciphers
0625e7ac1 is described below
commit 0625e7ac1ef4bb53dbd543516a2ea8c0e5002895
Author: gastush <[email protected]>
AuthorDate: Mon Dec 8 10:00:40 2025 +0100
TLS 1.3 requires a call to SSL_CTX_set_ciphersuites to configure the
permitted ciphers
---
native/src/sslcontext.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index 4dbac79bf..f41305654 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -518,6 +518,8 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
TCN_ALLOC_CSTRING(ciphers);
jboolean rv = JNI_TRUE;
+ int minProtoVer = 0;
+ int maxProtoVer = 0;
#ifndef HAVE_EXPORT_CIPHERS
size_t len;
char *buf;
@@ -528,6 +530,9 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
if (!J2S(ciphers))
return JNI_FALSE;
+ minProtoVer = SSL_CTX_get_min_proto_version(c->ctx);
+ maxProtoVer = SSL_CTX_get_max_proto_version(c->ctx);
+
#ifndef HAVE_EXPORT_CIPHERS
/*
* Always disable NULL and export ciphers,
@@ -540,14 +545,25 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext,
setCipherSuite)(TCN_STDARGS, jlong ctx,
memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED,
strlen(SSL_CIPHERS_ALWAYS_DISABLED));
memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers),
strlen(J2S(ciphers)));
buf[len - 1] = '\0';
- if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
#else
- if (!SSL_CTX_set_cipher_list(c->ctx, J2S(ciphers))) {
+ buf = (char*)J2S(ciphers);
#endif
- char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
- ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
- tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
- rv = JNI_FALSE;
+ /* OpenSSL will ignore any unknown cipher, but TLS 1.3 requires a call to
SSL_CTX_set_ciphersuites */
+ if (minProtoVer <= TLS1_2_VERSION) {
+ if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
+ tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)",
err);
+ rv = JNI_FALSE;
+ }
+ }
+ if (maxProtoVer >= TLS1_3_VERSION) {
+ if (!SSL_CTX_set_ciphersuites(c->ctx, buf)) {
+ char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+ ERR_error_string_n(SSL_ERR_get(), err,
TCN_OPENSSL_ERROR_STRING_LENGTH);
+ tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)",
err);
+ rv = JNI_FALSE;
+ }
}
#ifndef HAVE_EXPORT_CIPHERS
free(buf);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
