(tomcat) branch 11.0.x updated: Improve compatibility with LibreSSL < 3.5

Wed, 14 Jan 2026 14:44:53 -0800 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 7b52439bc2 Improve compatibility with LibreSSL < 3.5
7b52439bc2 is described below

commit 7b52439bc2d9b8e2c42b7e1bb6ba12db43af7252
Author: remm <[email protected]>
AuthorDate: Wed Jan 14 23:36:22 2026 +0100

    Improve compatibility with LibreSSL < 3.5
    
    Also skip some tests as needed for LibreSSL and BoringSSL.
---
 .../tomcat/util/openssl/openssl_h_Compatibility.java    |  6 ++++++
 .../apache/tomcat/security/TestSecurity2017Ocsp.java    |  4 ++++
 .../apache/tomcat/util/net/TestSSLHostConfigCipher.java | 17 +++++++++++++++++
 test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java  |  4 ++++
 webapps/docs/changelog.xml                              |  4 ++++
 5 files changed, 35 insertions(+)

diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java 
b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
index bb9bfd9fe2..1bd3aec457 100644
--- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
+++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
@@ -70,6 +70,9 @@ public class openssl_h_Compatibility {
 
     // OpenSSL 1.1 FIPS_mode
     public static int FIPS_mode() {
+        if (isLibreSSLPre35()) {
+            return 0;
+        }
         class Holder {
             static final String NAME = "FIPS_mode";
             static final FunctionDescriptor DESC = 
FunctionDescriptor.of(JAVA_INT);
@@ -88,6 +91,9 @@ public class openssl_h_Compatibility {
 
     // OpenSSL 1.1 FIPS_mode_set
     public static int FIPS_mode_set(int r) {
+        if (isLibreSSLPre35()) {
+            return 0;
+        }
         class Holder {
             static final String NAME = "FIPS_mode_set";
             static final FunctionDescriptor DESC = 
FunctionDescriptor.of(JAVA_INT, JAVA_INT);
diff --git a/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java 
b/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
index 6201593464..d8b23449d5 100644
--- a/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
+++ b/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
@@ -39,6 +39,7 @@ import org.apache.tomcat.util.net.TesterSupport;
 import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
 import org.apache.tomcat.util.net.ocsp.OcspBaseTest;
 import org.apache.tomcat.util.net.ocsp.TesterOcspResponder;
+import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
 
 @RunWith(Parameterized.class)
 public class TestSecurity2017Ocsp extends OcspBaseTest {
@@ -70,6 +71,9 @@ public class TestSecurity2017Ocsp extends OcspBaseTest {
      */
     @Test(expected=SSLHandshakeException.class)
     public void testCVE_2017_15698() throws Exception {
+        if ("OpenSSL-FFM".equals(connectorName)) {
+            Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL || 
openssl_h_Compatibility.isLibreSSLPre35());
+        }
         Assume.assumeNotNull(ocspResponder);
 
         Tomcat tomcat = getTomcatInstance();
diff --git a/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java 
b/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
index 19e5fb0970..e9e0547b8f 100644
--- a/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
+++ b/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
@@ -23,6 +23,7 @@ import java.util.List;
 import javax.net.ssl.SSLHandshakeException;
 
 import org.junit.Assert;
+import org.junit.Assume;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
@@ -34,6 +35,7 @@ import org.apache.catalina.startup.TesterServlet;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
 
 @RunWith(Parameterized.class)
 public class TestSSLHostConfigCipher extends TomcatBaseTest {
@@ -91,6 +93,10 @@ public class TestSSLHostConfigCipher extends TomcatBaseTest {
 
     @Test
     public void testTls12CipherAvailable() throws Exception {
+        if ("OpenSSL-FFM".equals(connectorName)) {
+            // The functionality works, but the two ciphers used are not 
available
+            Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
+        }
         // Client-side TLS configuration
         TesterSupport.configureClientSsl(true, new String[] { 
CIPHER_12_AVAILABLE } );
 
@@ -100,6 +106,9 @@ public class TestSSLHostConfigCipher extends TomcatBaseTest 
{
 
     @Test(expected=SSLHandshakeException.class)
     public void testTls12CipherNotAvailable() throws Exception {
+        if ("OpenSSL-FFM".equals(connectorName)) {
+            Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
+        }
         // Client-side TLS configuration
         TesterSupport.configureClientSsl(true, new String[] { 
CIPHER_12_NOT_AVAILABLE } );
 
@@ -109,6 +118,9 @@ public class TestSSLHostConfigCipher extends TomcatBaseTest 
{
 
     @Test
     public void testTls13CipherAvailable() throws Exception {
+        if ("OpenSSL-FFM".equals(connectorName)) {
+            Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
+        }
         // Client-side TLS configuration
         TesterSupport.configureClientSsl(new String[] { CIPHER_13_AVAILABLE } 
);
 
@@ -118,6 +130,11 @@ public class TestSSLHostConfigCipher extends 
TomcatBaseTest {
 
     @Test(expected=SSLHandshakeException.class)
     public void testTls13CipherNotAvailable() throws Exception {
+        if ("OpenSSL-FFM".equals(connectorName)) {
+            // The TLS 1.3 call might not be present
+            Assume.assumeFalse(openssl_h_Compatibility.isLibreSSLPre35());
+            Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
+        }
         // Client-side TLS configuration
         TesterSupport.configureClientSsl(new String[] { 
CIPHER_13_NOT_AVAILABLE } );
 
diff --git a/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java 
b/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
index e25347030a..293f6aa1b8 100644
--- a/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
+++ b/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
@@ -40,6 +40,7 @@ import org.apache.tomcat.util.buf.ByteChunk;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.TesterSupport;
 import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
+import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
 
 public class OcspBaseTest extends TomcatBaseTest {
 
@@ -108,6 +109,9 @@ public class OcspBaseTest extends TomcatBaseTest {
     protected void doTest(boolean clientCertValid, boolean serverCertValid, 
ClientCertificateVerification verifyClientCert,
             boolean verifyServerCert, Boolean softFail) throws Exception {
 
+        if ("OpenSSL-FFM".equals(connectorName)) {
+            Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL || 
openssl_h_Compatibility.isLibreSSLPre35());
+        }
         Assume.assumeFalse(!useOpenSSLTrust && verifyClientCert == 
ClientCertificateVerification.OPTIONAL_NO_CA);
 
         Tomcat tomcat = getTomcatInstance();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 315bac00b5..7d3cd847c9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -187,6 +187,10 @@
         <code>OCSP_basic_verify</code> when using an OpenSSL based TLS
         implementation. (markt)
       </add>
+      <fix>
+        Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
+        (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to