This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 267e8d9270 Pass through ciphers referring to an OpenSSL profile
267e8d9270 is described below
commit 267e8d9270cabdd6596b981d8ae7ea029c3f05dd
Author: remm <[email protected]>
AuthorDate: Fri Aug 4 10:27:52 2023 +0200
Pass through ciphers referring to an OpenSSL profile
Avoids the error trying to parse it.
---
java/org/apache/tomcat/util/net/SSLUtilBase.java | 16 +++++++++++-----
webapps/docs/changelog.xml | 5 +++++
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index 72161e9238..bdbf893f6a 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -122,11 +122,17 @@ public abstract class SSLUtilBase implements SSLUtil {
sslHostConfig.setTls13RenegotiationAvailable(isTls13RenegAuthAvailable());
// Calculate the enabled ciphers
- List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
- Set<String> implementedCiphers = getImplementedCiphers();
- List<String> enabledCiphers =
- getEnabled("ciphers", getLog(), false, configuredCiphers,
implementedCiphers);
- this.enabledCiphers = enabledCiphers.toArray(new String[0]);
+ if (sslHostConfig.getCiphers().startsWith("PROFILE=")) {
+ // OpenSSL profiles
+ // TODO: sslHostConfig can query that with Panama, but skip for now
+ this.enabledCiphers = new String[0];
+ } else {
+ List<String> configuredCiphers =
sslHostConfig.getJsseCipherNames();
+ Set<String> implementedCiphers = getImplementedCiphers();
+ List<String> enabledCiphers =
+ getEnabled("ciphers", getLog(), false, configuredCiphers,
implementedCiphers);
+ this.enabledCiphers = enabledCiphers.toArray(new String[0]);
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e0b4ed7b94..d644398268 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -155,6 +155,11 @@
Refactor HTTP/2 implementation to reduce pinning when using virtual
threads. (markt)
</scode>
+ <fix>
+ Pass through ciphers referring to an OpenSSL profile, such as
+ <code>PROFILE=SYSTEM</code> instead of producing an error trying to
+ parse it. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
