This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new fd2efc190c Improve warnings on cipher lists
fd2efc190c is described below
commit fd2efc190c4fc8c4bde026f298d598bdb8bfa4cd
Author: remm <[email protected]>
AuthorDate: Sat Dec 13 10:40:48 2025 +0100
Improve warnings on cipher lists
Mirrors change in tomcat-native.
---
.../util/net/openssl/panama/OpenSSLContext.java | 23 +++++++++++++++++-----
webapps/docs/changelog.xml | 4 ++++
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 177325fb0c..34a07599d7 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -502,17 +502,30 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
openssl_h_Compatibility.SSL_CTX_clear_options(state.sslCtx,
SSL_OP_NO_TICKET());
}
+ boolean ciphersSet = false;
+ String tls12Warning = null;
+ String tls13Warning = null;
// List the ciphers that the client is permitted to negotiate
if (minTlsVersion <= TLS1_2_VERSION()) {
if (SSL_CTX_set_cipher_list(state.sslCtx,
localArena.allocateFrom(sslHostConfig.getCiphers())) <= 0) {
- log.warn(sm.getString("engine.failedCipherList",
sslHostConfig.getCiphers()));
+ tls12Warning = sm.getString("engine.failedCipherList",
sslHostConfig.getCiphers());
+ } else {
+ ciphersSet = true;
}
}
- // Check if the ciphers have been changed from the defaults
- if (maxTlsVersion >= TLS1_3_VERSION() &&
- (sslHostConfig.getCiphers() !=
SSLHostConfig.DEFAULT_TLS_CIPHERS)) {
+ if (maxTlsVersion >= TLS1_3_VERSION()) {
if (SSL_CTX_set_ciphersuites(state.sslCtx,
localArena.allocateFrom(sslHostConfig.getCiphers())) <= 0) {
- log.warn(sm.getString("engine.failedCipherSuite",
sslHostConfig.getCiphers()));
+ tls13Warning = sm.getString("engine.failedCipherSuite",
sslHostConfig.getCiphers());
+ } else {
+ ciphersSet = true;
+ }
+ }
+ if (!ciphersSet) {
+ if (tls12Warning != null) {
+ log.warn(tls12Warning);
+ }
+ if (tls13Warning != null) {
+ log.warn(tls13Warning);
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 90519f3c4b..60a3cd839a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -110,6 +110,10 @@
<fix>
Avoid possible NPEs when using a TLS enabled custom connector. (remm)
</fix>
+ <fix>
+ Improve warnings when setting ciphers lists in the FFM code, mirrorring
+ the tomcat-native changes. (remm)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
