This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new cc29cb037f Improve warnings on cipher lists
cc29cb037f is described below
commit cc29cb037fb322c707cdd91797eff454cde72c3a
Author: remm <[email protected]>
AuthorDate: Sat Dec 13 10:40:48 2025 +0100
Improve warnings on cipher lists
Mirrors change in tomcat-native.
---
.../util/net/openssl/panama/OpenSSLContext.java | 23 +++++++++++++++++-----
webapps/docs/changelog.xml | 4 ++++
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 177325fb0c..34a07599d7 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -502,17 +502,30 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
openssl_h_Compatibility.SSL_CTX_clear_options(state.sslCtx,
SSL_OP_NO_TICKET());
}
+ boolean ciphersSet = false;
+ String tls12Warning = null;
+ String tls13Warning = null;
// List the ciphers that the client is permitted to negotiate
if (minTlsVersion <= TLS1_2_VERSION()) {
if (SSL_CTX_set_cipher_list(state.sslCtx,
localArena.allocateFrom(sslHostConfig.getCiphers())) <= 0) {
- log.warn(sm.getString("engine.failedCipherList",
sslHostConfig.getCiphers()));
+ tls12Warning = sm.getString("engine.failedCipherList",
sslHostConfig.getCiphers());
+ } else {
+ ciphersSet = true;
}
}
- // Check if the ciphers have been changed from the defaults
- if (maxTlsVersion >= TLS1_3_VERSION() &&
- (sslHostConfig.getCiphers() !=
SSLHostConfig.DEFAULT_TLS_CIPHERS)) {
+ if (maxTlsVersion >= TLS1_3_VERSION()) {
if (SSL_CTX_set_ciphersuites(state.sslCtx,
localArena.allocateFrom(sslHostConfig.getCiphers())) <= 0) {
- log.warn(sm.getString("engine.failedCipherSuite",
sslHostConfig.getCiphers()));
+ tls13Warning = sm.getString("engine.failedCipherSuite",
sslHostConfig.getCiphers());
+ } else {
+ ciphersSet = true;
+ }
+ }
+ if (!ciphersSet) {
+ if (tls12Warning != null) {
+ log.warn(tls12Warning);
+ }
+ if (tls13Warning != null) {
+ log.warn(tls13Warning);
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8cbcbe7f06..5983c8a097 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -223,6 +223,10 @@
Remove support for HTTP 0.9. (markt)
</update>
<!-- Entries for backport and removal before 12.0.0-M1 below this line
-->
+ <fix>
+ Improve warnings when setting ciphers lists in the FFM code, mirrorring
+ the tomcat-native changes. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
