Author: markt
Date: Thu Mar 3 11:06:58 2016
New Revision: 1733444
URL: http://svn.apache.org/viewvc?rev=1733444&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59081
Retain the user defined cipher order when defining ciphers with OpenSSL format
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1733444&r1=1733443&r2=1733444&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
Thu Mar 3 11:06:58 2016
@@ -491,7 +491,7 @@ public class OpenSSLCipherConfigurationP
// Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
addListAlias(DEFAULT,
parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2:!DES:!RC2:!RC4"));
// COMPLEMENTOFDEFAULT is also not exactly as defined by the docs
- Set<Cipher> complementOfDefault = filterByKeyExchange(all, new
HashSet<>(Arrays.asList(KeyExchange.EDH,KeyExchange.EECDH)));
+ LinkedHashSet<Cipher> complementOfDefault = filterByKeyExchange(all,
new HashSet<>(Arrays.asList(KeyExchange.EDH,KeyExchange.EECDH)));
complementOfDefault = filterByAuthentication(complementOfDefault,
Collections.singleton(Authentication.aNULL));
complementOfDefault.removeAll(aliases.get(eNULL));
complementOfDefault.addAll(aliases.get(Constants.SSL_PROTO_SSLv2));
@@ -499,6 +499,7 @@ public class OpenSSLCipherConfigurationP
complementOfDefault.addAll(aliases.get(DES));
complementOfDefault.addAll(aliases.get(RC2));
complementOfDefault.addAll(aliases.get(RC4));
+ defaultSort(complementOfDefault);
addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
}
@@ -560,17 +561,22 @@ public class OpenSSLCipherConfigurationP
*/
static LinkedHashSet<Cipher> defaultSort(final LinkedHashSet<Cipher>
ciphers) {
final LinkedHashSet<Cipher> result = new
LinkedHashSet<>(ciphers.size());
- /* Now arrange all ciphers by preference: */
+ final LinkedHashSet<Cipher> ecdh = new LinkedHashSet<>(ciphers.size());
/* Everything else being equal, prefer ephemeral ECDH over other key
exchange mechanisms */
- result.addAll(filterByKeyExchange(ciphers,
Collections.singleton(KeyExchange.EECDH)));
+ ecdh.addAll(filterByKeyExchange(ciphers,
Collections.singleton(KeyExchange.EECDH)));
+
/* AES is our preferred symmetric cipher */
Set<Encryption> aes = new HashSet<>(Arrays.asList(Encryption.AES128,
Encryption.AES128CCM,
Encryption.AES128CCM8, Encryption.AES128GCM, Encryption.AES256,
Encryption.AES256CCM, Encryption.AES256CCM8,
Encryption.AES256GCM));
- moveToStart(result, filterByEncryption(result, aes));
+
+ /* Now arrange all ciphers by preference: */
+ result.addAll(filterByEncryption(ecdh, aes));
result.addAll(filterByEncryption(ciphers, aes));
- /* Temporarily enable everything else for sorting */
+
+ /* Add everything else */
+ result.addAll(ecdh);
result.addAll(ciphers);
/* Low priority for MD5 */
@@ -605,11 +611,11 @@ public class OpenSSLCipherConfigurationP
return filter(ciphers, protocol, null, null, null, null, null);
}
- static Set<Cipher> filterByKeyExchange(Set<Cipher> ciphers,
Set<KeyExchange> kx) {
+ static LinkedHashSet<Cipher> filterByKeyExchange(Set<Cipher> ciphers,
Set<KeyExchange> kx) {
return filter(ciphers, null, kx, null, null, null, null);
}
- static Set<Cipher> filterByAuthentication(Set<Cipher> ciphers,
Set<Authentication> au) {
+ static LinkedHashSet<Cipher> filterByAuthentication(Set<Cipher> ciphers,
Set<Authentication> au) {
return filter(ciphers, null, null, au, null, null, null);
}
@@ -625,9 +631,9 @@ public class OpenSSLCipherConfigurationP
return filter(ciphers, null, null, null, null, null, mac);
}
- static Set<Cipher> filter(Set<Cipher> ciphers, Set<Protocol> protocol,
Set<KeyExchange> kx,
+ static LinkedHashSet<Cipher> filter(Set<Cipher> ciphers, Set<Protocol>
protocol, Set<KeyExchange> kx,
Set<Authentication> au, Set<Encryption> enc, Set<EncryptionLevel>
level, Set<MessageDigest> mac) {
- Set<Cipher> result = new LinkedHashSet<>(ciphers.size());
+ LinkedHashSet<Cipher> result = new LinkedHashSet<>(ciphers.size());
for (Cipher cipher : ciphers) {
if (protocol != null && protocol.contains(cipher.getProtocol())) {
result.add(cipher);
@@ -695,7 +701,7 @@ public class OpenSSLCipherConfigurationP
}
}
ciphers.removeAll(removedCiphers);
- return defaultSort(ciphers);
+ return ciphers;
}
public static List<String> convertForJSSE(Collection<Cipher> ciphers) {
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1733444&r1=1733443&r2=1733444&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 3 11:06:58 2016
@@ -153,6 +153,10 @@
Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code>
with
the current OpenSSL implementation. (markt)
</fix>
+ <fix>
+ <bug>59081</bug>: Retain the user defined cipher order when defining
+ ciphers using the OpenSSL format. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
