(tomcat-native) branch main updated: Fix logic. As long as at least one cipher is configured, all is good.

Fri, 12 Dec 2025 02:27:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git


The following commit(s) were added to refs/heads/main by this push:
     new ba61d0ea3 Fix logic. As long as at least one  cipher is configured, 
all is good.
ba61d0ea3 is described below

commit ba61d0ea32fbdf117fdf71a228a0fcbe3ace9f1a
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Dec 12 10:26:53 2025 +0000

    Fix logic. As long as at least one  cipher is configured, all is good.
---
 native/src/sslcontext.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index e026cc11a..1c5d201db 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -520,6 +520,7 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCipherSuite)(TCN_STDARGS, jlong ctx,
     jboolean rv = JNI_TRUE;
     int minProtoVer = 0;
     int maxProtoVer = 0;
+    int ciphersSet = 0;
 #ifndef HAVE_EXPORT_CIPHERS
     size_t len;
     char *buf;
@@ -550,20 +551,20 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, 
setCipherSuite)(TCN_STDARGS, jlong ctx,
 #endif
     /* OpenSSL will ignore any unknown cipher, but TLS 1.3 requires a call to 
SSL_CTX_set_ciphersuites */
     if (minProtoVer <= TLS1_2_VERSION) {
-         if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
-            char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
-            ERR_error_string_n(SSL_ERR_get(), err, 
TCN_OPENSSL_ERROR_STRING_LENGTH);
-            tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", 
err);
-            rv = JNI_FALSE;
+        if (SSL_CTX_set_cipher_list(c->ctx, buf)) {
+            ciphersSet = 1;
         }
     }
     if (maxProtoVer >= TLS1_3_VERSION) {
-        if (!SSL_CTX_set_ciphersuites(c->ctx, buf)) {
-            char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
-            ERR_error_string_n(SSL_ERR_get(), err, 
TCN_OPENSSL_ERROR_STRING_LENGTH);
-            tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", 
err);
-            rv = JNI_FALSE;
-        }       
+        if (SSL_CTX_set_ciphersuites(c->ctx, buf)) {
+            ciphersSet = 1;
+        }
+    }
+    if (!ciphersSet) {
+        char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+        ERR_error_string_n(SSL_ERR_get(), err, 
TCN_OPENSSL_ERROR_STRING_LENGTH);
+        tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
+        rv = JNI_FALSE;
     }
 #ifndef HAVE_EXPORT_CIPHERS
     free(buf);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to