On Mon, Sep 22, 2025 at 10:51 PM <[email protected]> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> remm pushed a commit to branch 9.0.x
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/9.0.x by this push:
> new bda8247f14 Drop method
> bda8247f14 is described below
>
> commit bda8247f142dc27ad56781f68448cbe9c848dce4
> Author: remm <[email protected]>
> AuthorDate: Mon Sep 22 22:48:09 2025 +0200
>
> Drop method
>
> Most likely acceptable since it is present only in 10.1.46.
I went ahead with backporting the more flexible post quantum crypto code since:
- The testsuite is ok and the new code has good test coverage, it will
not break with older stuff.
- The new functionality is not tested by the testsuite due to the lack
of a client for now. Sorry.
- From my testing, likely useful configurations work (example below).
- Not having to rely on the little trick where multiple certificates
were added to one OpenSSL context is better, and also good for JSSE
later. The certificate selection code is also more useful now as well.
- Tomcat 9 is supposed to be maintained for a long time, and not
having post quantum crypto could be a problem.
Example configuration:
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true" scheme="https" secure="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig groups="MLKEM768, X25519MLKEM768">
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
certificateKeystorePassword="changeit"
type="RSA" />
<Certificate certificateKeystoreFile="conf/localhost-mldsa.jks"
certificateKeystorePassword="changeit"
type="MLDSA" />
</SSLHostConfig>
</Connector>
It does:
- If a strict client wants mlkem only, it can (this group is not
enabled by default, so it needs to have explicit configuration in both
the client and the server).
- Otherwise, hybrid.
- If a client wants the ml-dsa certificate, it works.
- Otherwise it will use the classic rsa certificate.
Rémy
> ---
> java/org/apache/tomcat/util/net/SSLUtil.java | 9 ---------
> .../apache/tomcat/util/net/openssl/OpenSSLUtil.java | 10 ----------
> .../tomcat/util/net/openssl/panama/OpenSSLUtil.java | 18
> ------------------
> 3 files changed, 37 deletions(-)
>
> diff --git a/java/org/apache/tomcat/util/net/SSLUtil.java
> b/java/org/apache/tomcat/util/net/SSLUtil.java
> index 7a9c32dc4a..8c5d7a1b37 100644
> --- a/java/org/apache/tomcat/util/net/SSLUtil.java
> +++ b/java/org/apache/tomcat/util/net/SSLUtil.java
> @@ -91,13 +91,4 @@ public interface SSLUtil {
> String getNegotiatedProtocol();
> }
>
> - /**
> - * Add a second certificate to an existing context, to enable hybrid TLS
> 1.3 handshakes.
> - * @param context the existing context
> - * @param certificate the second certificate to add
> - * @return true if supported by the context
> - */
> - default boolean addSecondCertificate(SSLContext context,
> SSLHostConfigCertificate certificate) {
> - return false;
> - }
> }
> diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> index 2112fa8674..1c31d7e970 100644
> --- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> +++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
> @@ -136,14 +136,4 @@ public class OpenSSLUtil extends SSLUtilBase {
> }
> }
>
> - @Override
> - public boolean addSecondCertificate(SSLContext context,
> SSLHostConfigCertificate certificate) {
> - try {
> - ((OpenSSLContext) context).addCertificate(certificate);
> - return true;
> - } catch (Exception e) {
> - throw new
> IllegalArgumentException(sm.getString("openssl.secondCertificateError"), e);
> - }
> - }
> -
> }
> diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
> b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
> index 955d0aba0d..3475190e5a 100644
> --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
> +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
> @@ -17,7 +17,6 @@
> package org.apache.tomcat.util.net.openssl.panama;
>
> import java.io.IOException;
> -import java.lang.foreign.Arena;
> import java.security.KeyException;
> import java.security.KeyStoreException;
> import java.util.List;
> @@ -107,21 +106,4 @@ public class OpenSSLUtil extends SSLUtilBase {
> }
> }
>
> -
> - @Override
> - public boolean addSecondCertificate(SSLContext context,
> SSLHostConfigCertificate certificate) {
> - try (var localArena = Arena.ofConfined()) {
> - try {
> - if (((OpenSSLContext) context).addCertificate(certificate,
> localArena)) {
> - return true;
> - } else {
> - log.warn(sm.getString("openssl.secondCertificateError"));
> - return false;
> - }
> - } catch (Exception e) {
> - throw new
> IllegalArgumentException(sm.getString("openssl.secondCertificateError"), e);
> - }
> - }
> - }
> -
> }
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
