Author: rjung Date: Thu Apr 12 04:38:45 2018 New Revision: 1828946 URL: http://svn.apache.org/viewvc?rev=1828946&view=rev Log: - add utility functions to TesterSupport to access OpenSSL library availability and version number. - use the new version number access to fix test for OpenSSLConf for older version of OpenSSL (before 1.1.1-pre3).
Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java Modified: tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1828946&r1=1828945&r2=1828946&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Thu Apr 12 04:38:45 2018 @@ -50,6 +50,9 @@ import org.apache.catalina.core.AprLifec import org.apache.catalina.core.StandardServer; import org.apache.catalina.startup.TesterMapRealm; import org.apache.catalina.startup.Tomcat; +import org.apache.tomcat.jni.Library; +import org.apache.tomcat.jni.LibraryNotFoundError; +import org.apache.tomcat.jni.SSL; import org.apache.tomcat.util.descriptor.web.LoginConfig; import org.apache.tomcat.util.descriptor.web.SecurityCollection; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; @@ -67,6 +70,8 @@ public final class TesterSupport { public static final String JKS_KEY_PASS = "tomcatpass"; public static final String LOCALHOST_CERT_PEM = SSL_DIR + "localhost-cert.pem"; public static final String LOCALHOST_KEY_PEM = SSL_DIR + "localhost-key.pem"; + public static final boolean OPENSSL_AVAILABLE; + public static final int OPENSSL_VERSION; public static final String ROLE = "testrole"; @@ -74,6 +79,29 @@ public final class TesterSupport { private static String lastUsage = "NONE"; private static Principal[] lastRequestedIssuers = new Principal[0]; + static { + boolean available = false; + int version = 0; + try { + Library.initialize(null); + available = true; + version = SSL.version(); + Library.terminate(); + } catch (Exception | LibraryNotFoundError ex) { + // Ignore + } + OPENSSL_AVAILABLE = available; + OPENSSL_VERSION = version; + } + + public static boolean isOpensslAvailable() { + return OPENSSL_AVAILABLE; + } + + public static int getOpensslVersion() { + return OPENSSL_VERSION; + } + public static void initSsl(Tomcat tomcat) { initSsl(tomcat, LOCALHOST_JKS, null, null); } Modified: tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java?rev=1828946&r1=1828945&r2=1828946&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/TestOpenSSLConf.java Thu Apr 12 04:38:45 2018 @@ -35,11 +35,20 @@ import org.apache.tomcat.util.net.Tester public class TestOpenSSLConf extends TomcatBaseTest { private static final String ENABLED_CIPHER = "AES256-SHA256"; - private static final String[] EXPECTED_CIPHERS = {"AES256-SHA256"}; + private static final String[] EXPECTED_CIPHERS = {ENABLED_CIPHER}; private static final String[] ENABLED_PROTOCOLS = {"TLSv1.1"}; - private static final String[] DISABLED_PROTOCOLS = {"SSLv3", "TLSv1", "TLSv1.2", "TLSv1.3"}; + private static final String[] DISABLED_PROTOCOLS = {"SSLv3", "TLSv1", "TLSv1.2"}; + private static final String[] DISABLED_PROTOCOLS_TLS13 = {"TLSv1.3"}; + // Test behavior needs to adjust for OpenSSL 1.1.1-pre3 and above + private static final int OPENSSL_TLS13_SUPPORT_MIN_VERSION = 0x10101003; - public SSLHostConfig initOpenSSLConfCmdCipher(String... commands) throws Exception { + private static int OPENSSL_VERSION = TesterSupport.getOpensslVersion();; + + private static boolean hasTLS13() { + return OPENSSL_VERSION >= OPENSSL_TLS13_SUPPORT_MIN_VERSION; + } + + public SSLHostConfig initOpenSSLConfCmd(String... commands) throws Exception { Assert.assertNotNull(commands); Assert.assertTrue("Invalid length", commands.length % 2 == 0); @@ -78,9 +87,15 @@ public class TestOpenSSLConf extends Tom @Test public void testOpenSSLConfCmdCipher() throws Exception { - // Ensure TLSv1.3 ciphers aren't returned - SSLHostConfig sslHostConfig = initOpenSSLConfCmdCipher("CipherString", ENABLED_CIPHER, - "CipherSuites", ""); + log.info("Found OpenSSL version 0x" + Integer.toHexString(OPENSSL_VERSION)); + SSLHostConfig sslHostConfig; + if (hasTLS13()) { + // Ensure TLSv1.3 ciphers aren't returned + sslHostConfig = initOpenSSLConfCmd("CipherString", ENABLED_CIPHER, + "CipherSuites", ""); + } else { + sslHostConfig = initOpenSSLConfCmd("CipherString", ENABLED_CIPHER); + } String[] ciphers = sslHostConfig.getEnabledCiphers(); Assert.assertThat("Wrong HostConfig ciphers", ciphers, CoreMatchers.is(EXPECTED_CIPHERS)); @@ -91,15 +106,23 @@ public class TestOpenSSLConf extends Tom @Test public void testOpenSSLConfCmdProtocol() throws Exception { + log.info("Found OpenSSL version 0x" + Integer.toHexString(OPENSSL_VERSION)); Set<String> disabledProtocols = new HashSet<>(Arrays.asList(DISABLED_PROTOCOLS)); StringBuilder sb = new StringBuilder(); for (String protocol : DISABLED_PROTOCOLS) { sb.append(",").append("-").append(protocol); } + if (hasTLS13()) { + // Also disable TLSv1.3 + for (String protocol : DISABLED_PROTOCOLS_TLS13) { + sb.append(",").append("-").append(protocol); + disabledProtocols.add(protocol); + } + } for (String protocol : ENABLED_PROTOCOLS) { sb.append(",").append(protocol); } - SSLHostConfig sslHostConfig = initOpenSSLConfCmdCipher("Protocol", sb.substring(1)); + SSLHostConfig sslHostConfig = initOpenSSLConfCmd("Protocol", sb.substring(1)); String[] protocols = sslHostConfig.getEnabledProtocols(); for (String protocol : protocols) { Assert.assertFalse("Protocol " + protocol + " is not allowed", --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org