On Wed, Jan 14, 2026 at 11:38 PM <[email protected]> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> remm pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 2f11928e92 Improve compatibility with LibreSSL < 3.5
> 2f11928e92 is described below
>
> commit 2f11928e927f94e77249e80cfe3d62bb2f01ae5f
> Author: remm <[email protected]>
> AuthorDate: Wed Jan 14 23:36:22 2026 +0100
>
> Improve compatibility with LibreSSL < 3.5
>
> Also skip some tests as needed for LibreSSL and BoringSSL.
I'll improve this tomorrow, it causes compilation issues.
Rémy
> ---
> .../tomcat/util/openssl/openssl_h_Compatibility.java | 6 ++++++
> .../apache/tomcat/security/TestSecurity2017Ocsp.java | 4 ++++
> .../apache/tomcat/util/net/TestSSLHostConfigCipher.java | 17
> +++++++++++++++++
> test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java | 4 ++++
> webapps/docs/changelog.xml | 4 ++++
> 5 files changed, 35 insertions(+)
>
> diff --git a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
> b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
> index bb9bfd9fe2..1bd3aec457 100644
> --- a/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
> +++ b/java/org/apache/tomcat/util/openssl/openssl_h_Compatibility.java
> @@ -70,6 +70,9 @@ public class openssl_h_Compatibility {
>
> // OpenSSL 1.1 FIPS_mode
> public static int FIPS_mode() {
> + if (isLibreSSLPre35()) {
> + return 0;
> + }
> class Holder {
> static final String NAME = "FIPS_mode";
> static final FunctionDescriptor DESC =
> FunctionDescriptor.of(JAVA_INT);
> @@ -88,6 +91,9 @@ public class openssl_h_Compatibility {
>
> // OpenSSL 1.1 FIPS_mode_set
> public static int FIPS_mode_set(int r) {
> + if (isLibreSSLPre35()) {
> + return 0;
> + }
> class Holder {
> static final String NAME = "FIPS_mode_set";
> static final FunctionDescriptor DESC =
> FunctionDescriptor.of(JAVA_INT, JAVA_INT);
> diff --git a/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
> b/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
> index 3da985ae59..31134bc890 100644
> --- a/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
> +++ b/test/org/apache/tomcat/security/TestSecurity2017Ocsp.java
> @@ -38,6 +38,7 @@ import org.apache.tomcat.util.net.TesterSupport;
> import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
> import org.apache.tomcat.util.net.ocsp.OcspBaseTest;
> import org.apache.tomcat.util.net.ocsp.TesterOcspResponder;
> +import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
>
> @RunWith(Parameterized.class)
> public class TestSecurity2017Ocsp extends OcspBaseTest {
> @@ -69,6 +70,9 @@ public class TestSecurity2017Ocsp extends OcspBaseTest {
> */
> @Test(expected=SSLHandshakeException.class)
> public void testCVE_2017_15698() throws Exception {
> + if ("OpenSSL-FFM".equals(connectorName)) {
> + Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL ||
> openssl_h_Compatibility.isLibreSSLPre35());
> + }
> Assume.assumeNotNull(ocspResponder);
>
> Tomcat tomcat = getTomcatInstance();
> diff --git a/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
> b/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
> index 19e5fb0970..e9e0547b8f 100644
> --- a/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
> +++ b/test/org/apache/tomcat/util/net/TestSSLHostConfigCipher.java
> @@ -23,6 +23,7 @@ import java.util.List;
> import javax.net.ssl.SSLHandshakeException;
>
> import org.junit.Assert;
> +import org.junit.Assume;
> import org.junit.Test;
> import org.junit.runner.RunWith;
> import org.junit.runners.Parameterized;
> @@ -34,6 +35,7 @@ import org.apache.catalina.startup.TesterServlet;
> import org.apache.catalina.startup.Tomcat;
> import org.apache.catalina.startup.TomcatBaseTest;
> import org.apache.tomcat.util.buf.ByteChunk;
> +import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
>
> @RunWith(Parameterized.class)
> public class TestSSLHostConfigCipher extends TomcatBaseTest {
> @@ -91,6 +93,10 @@ public class TestSSLHostConfigCipher extends
> TomcatBaseTest {
>
> @Test
> public void testTls12CipherAvailable() throws Exception {
> + if ("OpenSSL-FFM".equals(connectorName)) {
> + // The functionality works, but the two ciphers used are not
> available
> + Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
> + }
> // Client-side TLS configuration
> TesterSupport.configureClientSsl(true, new String[] {
> CIPHER_12_AVAILABLE } );
>
> @@ -100,6 +106,9 @@ public class TestSSLHostConfigCipher extends
> TomcatBaseTest {
>
> @Test(expected=SSLHandshakeException.class)
> public void testTls12CipherNotAvailable() throws Exception {
> + if ("OpenSSL-FFM".equals(connectorName)) {
> + Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
> + }
> // Client-side TLS configuration
> TesterSupport.configureClientSsl(true, new String[] {
> CIPHER_12_NOT_AVAILABLE } );
>
> @@ -109,6 +118,9 @@ public class TestSSLHostConfigCipher extends
> TomcatBaseTest {
>
> @Test
> public void testTls13CipherAvailable() throws Exception {
> + if ("OpenSSL-FFM".equals(connectorName)) {
> + Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
> + }
> // Client-side TLS configuration
> TesterSupport.configureClientSsl(new String[] { CIPHER_13_AVAILABLE
> } );
>
> @@ -118,6 +130,11 @@ public class TestSSLHostConfigCipher extends
> TomcatBaseTest {
>
> @Test(expected=SSLHandshakeException.class)
> public void testTls13CipherNotAvailable() throws Exception {
> + if ("OpenSSL-FFM".equals(connectorName)) {
> + // The TLS 1.3 call might not be present
> + Assume.assumeFalse(openssl_h_Compatibility.isLibreSSLPre35());
> + Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL);
> + }
> // Client-side TLS configuration
> TesterSupport.configureClientSsl(new String[] {
> CIPHER_13_NOT_AVAILABLE } );
>
> diff --git a/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
> b/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
> index e25347030a..293f6aa1b8 100644
> --- a/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
> +++ b/test/org/apache/tomcat/util/net/ocsp/OcspBaseTest.java
> @@ -40,6 +40,7 @@ import org.apache.tomcat.util.buf.ByteChunk;
> import org.apache.tomcat.util.net.SSLHostConfig;
> import org.apache.tomcat.util.net.TesterSupport;
> import org.apache.tomcat.util.net.TesterSupport.SimpleServlet;
> +import org.apache.tomcat.util.openssl.openssl_h_Compatibility;
>
> public class OcspBaseTest extends TomcatBaseTest {
>
> @@ -108,6 +109,9 @@ public class OcspBaseTest extends TomcatBaseTest {
> protected void doTest(boolean clientCertValid, boolean serverCertValid,
> ClientCertificateVerification verifyClientCert,
> boolean verifyServerCert, Boolean softFail) throws Exception {
>
> + if ("OpenSSL-FFM".equals(connectorName)) {
> + Assume.assumeFalse(openssl_h_Compatibility.BORINGSSL ||
> openssl_h_Compatibility.isLibreSSLPre35());
> + }
> Assume.assumeFalse(!useOpenSSLTrust && verifyClientCert ==
> ClientCertificateVerification.OPTIONAL_NO_CA);
>
> Tomcat tomcat = getTomcatInstance();
> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> index 1140933763..6373485000 100644
> --- a/webapps/docs/changelog.xml
> +++ b/webapps/docs/changelog.xml
> @@ -299,6 +299,10 @@
> <code>OCSP_basic_verify</code> when using an OpenSSL based TLS
> implementation. (markt)
> </add>
> + <fix>
> + Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5.
> + (remm)
> + </fix>
> </changelog>
> </subsection>
> <subsection name="Jasper">
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
