[tomcat] branch 9.0.x updated: Pass through ciphers referring to an OpenSSL profile

Fri, 04 Aug 2023 01:31:17 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 267e8d9270 Pass through ciphers referring to an OpenSSL profile
267e8d9270 is described below

commit 267e8d9270cabdd6596b981d8ae7ea029c3f05dd
Author: remm <r...@apache.org>
AuthorDate: Fri Aug 4 10:27:52 2023 +0200

    Pass through ciphers referring to an OpenSSL profile
    
    Avoids the error trying to parse it.
---
 java/org/apache/tomcat/util/net/SSLUtilBase.java | 16 +++++++++++-----
 webapps/docs/changelog.xml                       |  5 +++++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java 
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index 72161e9238..bdbf893f6a 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -122,11 +122,17 @@ public abstract class SSLUtilBase implements SSLUtil {
         
sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
 
         // Calculate the enabled ciphers
-        List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
-        Set<String> implementedCiphers = getImplementedCiphers();
-        List<String> enabledCiphers =
-                getEnabled("ciphers", getLog(), false, configuredCiphers, 
implementedCiphers);
-        this.enabledCiphers = enabledCiphers.toArray(new String[0]);
+        if (sslHostConfig.getCiphers().startsWith("PROFILE=")) {
+            // OpenSSL profiles
+            // TODO: sslHostConfig can query that with Panama, but skip for now
+            this.enabledCiphers = new String[0];
+        } else {
+            List<String> configuredCiphers = 
sslHostConfig.getJsseCipherNames();
+            Set<String> implementedCiphers = getImplementedCiphers();
+            List<String> enabledCiphers =
+                    getEnabled("ciphers", getLog(), false, configuredCiphers, 
implementedCiphers);
+            this.enabledCiphers = enabledCiphers.toArray(new String[0]);
+        }
     }
 
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e0b4ed7b94..d644398268 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -155,6 +155,11 @@
         Refactor HTTP/2 implementation to reduce pinning when using virtual
         threads. (markt)
       </scode>
+      <fix>
+        Pass through ciphers referring to an OpenSSL profile, such as
+        <code>PROFILE=SYSTEM</code> instead of producing an error trying to
+        parse it. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to