(tomcat) branch 10.1.x updated: Remove some SSLv2 related code.

markt Tue, 10 Feb 2026 08:33:35 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/10.1.x by this push:
     new b036246129 Remove some SSLv2 related code.
b036246129 is described below

commit b03624612939d4548729bc9e975ca1dfe65c8a09
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Feb 10 11:47:09 2026 +0000

    Remove some SSLv2 related code.
    
    SSLv2 has been disabled for years. Remove remaining unnecessary
    configuration code. Add tests to ensure SSLv2 is treated the same way as
    an unknown protocol.
---
 .../tomcat/util/net/openssl/OpenSSLContext.java    |   5 -
 .../tomcat/util/net/openssl/OpenSSLEngine.java     |  15 +--
 .../ciphers/OpenSSLCipherConfigurationParser.java  |   5 +-
 .../util/net/openssl/panama/OpenSSLContext.java    |   5 -
 .../util/net/openssl/panama/OpenSSLEngine.java     |  17 +---
 .../tomcat/util/net/TestSSLHostConfigProtocol.java | 105 +++++++++++++++++++++
 .../util/net/openssl/ciphers/TestCipher.java       |  14 ---
 .../TestOpenSSLCipherConfigurationParser.java      |  29 ++++--
 webapps/docs/config/http.xml                       |   3 +-
 9 files changed, 136 insertions(+), 62 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
index b196f9aa87..982aaa0bfc 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
@@ -131,8 +131,6 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
             for (String protocol : sslHostConfig.getEnabledProtocols()) {
                 if (Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(protocol)) 
{
                     // NO-OP. OpenSSL always supports SSLv2Hello
-                } else if 
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(protocol)) {
-                    value |= SSL.SSL_PROTOCOL_SSLV2;
                 } else if 
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(protocol)) {
                     value |= SSL.SSL_PROTOCOL_SSLV3;
                 } else if 
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(protocol)) {
@@ -432,9 +430,6 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
                     enabled.add(Constants.SSL_PROTO_TLSv1_2);
                 }
-                if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
-                    enabled.add(Constants.SSL_PROTO_SSLv2);
-                }
                 if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
                     enabled.add(Constants.SSL_PROTO_SSLv3);
                 }
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java 
b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index af8fddf217..7e0fc8078a 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -101,7 +101,6 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
 
         HashSet<String> protocols = new HashSet<>();
         protocols.add(Constants.SSL_PROTO_SSLv2Hello);
-        protocols.add(Constants.SSL_PROTO_SSLv2);
         protocols.add(Constants.SSL_PROTO_SSLv3);
         protocols.add(Constants.SSL_PROTO_TLSv1);
         protocols.add(Constants.SSL_PROTO_TLSv1_1);
@@ -822,9 +821,6 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
         if ((opts & SSL.SSL_OP_NO_TLSv1_2) == 0) {
             enabled.add(Constants.SSL_PROTO_TLSv1_2);
         }
-        if ((opts & SSL.SSL_OP_NO_SSLv2) == 0) {
-            enabled.add(Constants.SSL_PROTO_SSLv2);
-        }
         if ((opts & SSL.SSL_OP_NO_SSLv3) == 0) {
             enabled.add(Constants.SSL_PROTO_SSLv3);
         }
@@ -843,7 +839,6 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
         if (destroyed) {
             return;
         }
-        boolean sslv2 = false;
         boolean sslv3 = false;
         boolean tlsv1 = false;
         boolean tlsv1_1 = false;
@@ -852,9 +847,7 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
             if (!IMPLEMENTED_PROTOCOLS_SET.contains(p)) {
                 throw new 
IllegalArgumentException(sm.getString("engine.unsupportedProtocol", p));
             }
-            if (p.equals(Constants.SSL_PROTO_SSLv2)) {
-                sslv2 = true;
-            } else if (p.equals(Constants.SSL_PROTO_SSLv3)) {
+            if (p.equals(Constants.SSL_PROTO_SSLv3)) {
                 sslv3 = true;
             } else if (p.equals(Constants.SSL_PROTO_TLSv1)) {
                 tlsv1 = true;
@@ -866,10 +859,8 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
         }
         // Enable all and then disable what we not want
         SSL.setOptions(state.ssl, SSL.SSL_OP_ALL);
-
-        if (!sslv2) {
-            SSL.setOptions(state.ssl, SSL.SSL_OP_NO_SSLv2);
-        }
+        // Always disable SSLv2
+        SSL.setOptions(state.ssl, SSL.SSL_OP_NO_SSLv2);
         if (!sslv3) {
             SSL.setOptions(state.ssl, SSL.SSL_OP_NO_SSLv3);
         }
diff --git 
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
 
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 666bbad903..6c7b49ae44 100644
--- 
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++ 
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -503,7 +503,6 @@ public class OpenSSLCipherConfigurationParser {
         addListAlias(Constants.SSL_PROTO_TLSv1_0, filterByProtocol(allCiphers, 
Collections.singleton(Protocol.TLSv1)));
         addListAlias(Constants.SSL_PROTO_SSLv3, filterByProtocol(allCiphers, 
Collections.singleton(Protocol.SSLv3)));
         aliases.put(Constants.SSL_PROTO_TLSv1, 
aliases.get(Constants.SSL_PROTO_TLSv1_0));
-        addListAlias(Constants.SSL_PROTO_SSLv2, filterByProtocol(allCiphers, 
Collections.singleton(Protocol.SSLv2)));
         addListAlias(DH, filterByKeyExchange(allCiphers,
                 new HashSet<>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd, 
KeyExchange.EDH))));
         Set<Cipher> adh = filterByKeyExchange(allCiphers, 
Collections.singleton(KeyExchange.EDH));
@@ -566,15 +565,13 @@ public class OpenSSLCipherConfigurationParser {
         addListAlias(kSRP, filterByKeyExchange(allCiphers, 
Collections.singleton(KeyExchange.SRP)));
         addListAlias(SRP, filterByKeyExchange(allCiphers, 
Collections.singleton(KeyExchange.SRP)));
         initialized = true;
-        // Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
         addListAlias(DEFAULT, parse(
-                
"ALL:!EXPORT:!eNULL:!aNULL:!SSLv2:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES:!ARIA"));
+                
"ALL:!EXPORT:!eNULL:!aNULL:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES:!ARIA"));
         // COMPLEMENTOFDEFAULT is also not exactly as defined by the docs
         LinkedHashSet<Cipher> complementOfDefault =
                 filterByKeyExchange(all, new 
HashSet<>(Arrays.asList(KeyExchange.EDH, KeyExchange.EECDH)));
         complementOfDefault = filterByAuthentication(complementOfDefault, 
Collections.singleton(Authentication.aNULL));
         aliases.get(eNULL).forEach(complementOfDefault::remove);
-        complementOfDefault.addAll(aliases.get(Constants.SSL_PROTO_SSLv2));
         complementOfDefault.addAll(aliases.get(EXPORT));
         complementOfDefault.addAll(aliases.get(DES));
         complementOfDefault.addAll(aliases.get(TRIPLE_DES));
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index 9a21564c96..fcdd12afa2 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -193,8 +193,6 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
             for (String enabledProtocol : sslHostConfig.getEnabledProtocols()) 
{
                 if 
(Constants.SSL_PROTO_SSLv2Hello.equalsIgnoreCase(enabledProtocol)) {
                     // NO-OP. OpenSSL always supports SSLv2Hello
-                } else if 
(Constants.SSL_PROTO_SSLv2.equalsIgnoreCase(enabledProtocol)) {
-                    protocol |= SSL_PROTOCOL_SSLV2;
                 } else if 
(Constants.SSL_PROTO_SSLv3.equalsIgnoreCase(enabledProtocol)) {
                     protocol |= SSL_PROTOCOL_SSLV3;
                 } else if 
(Constants.SSL_PROTO_TLSv1.equalsIgnoreCase(enabledProtocol)) {
@@ -688,9 +686,6 @@ public class OpenSSLContext implements 
org.apache.tomcat.util.net.SSLContext {
                 if ((opts & SSL_OP_NO_TLSv1_3()) == 0) {
                     enabled.add(Constants.SSL_PROTO_TLSv1_3);
                 }
-                if ((opts & SSL_OP_NO_SSLv2()) == 0) {
-                    enabled.add(Constants.SSL_PROTO_SSLv2);
-                }
                 if ((opts & SSL_OP_NO_SSLv3()) == 0) {
                     enabled.add(Constants.SSL_PROTO_SSLv3);
                 }
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 5f236c1429..95ca9edf73 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -87,9 +87,9 @@ public final class OpenSSLEngine extends SSLEngine implements 
SSLUtil.ProtocolIn
         final Set<String> availableCipherSuites = new LinkedHashSet<>(128);
         availableCipherSuites.addAll(OpenSSLLibrary.findCiphers("ALL"));
         AVAILABLE_CIPHER_SUITES = 
Collections.unmodifiableSet(availableCipherSuites);
-        IMPLEMENTED_PROTOCOLS_SET = Set.of(Constants.SSL_PROTO_SSLv2Hello, 
Constants.SSL_PROTO_SSLv2,
-                Constants.SSL_PROTO_SSLv3, Constants.SSL_PROTO_TLSv1, 
Constants.SSL_PROTO_TLSv1_1,
-                Constants.SSL_PROTO_TLSv1_2, Constants.SSL_PROTO_TLSv1_3);
+        IMPLEMENTED_PROTOCOLS_SET = Set.of(Constants.SSL_PROTO_SSLv2Hello, 
Constants.SSL_PROTO_SSLv3,
+                Constants.SSL_PROTO_TLSv1, Constants.SSL_PROTO_TLSv1_1, 
Constants.SSL_PROTO_TLSv1_2,
+                Constants.SSL_PROTO_TLSv1_3);
     }
 
     private static final int MAX_PLAINTEXT_LENGTH = 16 * 1024; // 2^14
@@ -740,9 +740,6 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
         if ((opts & SSL_OP_NO_TLSv1_3()) == 0) {
             enabled.add(Constants.SSL_PROTO_TLSv1_3);
         }
-        if ((opts & SSL_OP_NO_SSLv2()) == 0) {
-            enabled.add(Constants.SSL_PROTO_SSLv2);
-        }
         if ((opts & SSL_OP_NO_SSLv3()) == 0) {
             enabled.add(Constants.SSL_PROTO_SSLv3);
         }
@@ -762,7 +759,6 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
         if (destroyed) {
             return;
         }
-        boolean sslv2 = false;
         boolean sslv3 = false;
         boolean tlsv1 = false;
         boolean tlsv1_1 = false;
@@ -773,7 +769,6 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
                 throw new 
IllegalArgumentException(sm.getString("engine.unsupportedProtocol", p));
             }
             switch (p) {
-                case Constants.SSL_PROTO_SSLv2 -> sslv2 = true;
                 case Constants.SSL_PROTO_SSLv3 -> sslv3 = true;
                 case Constants.SSL_PROTO_TLSv1 -> tlsv1 = true;
                 case Constants.SSL_PROTO_TLSv1_1 -> tlsv1_1 = true;
@@ -783,10 +778,8 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
         }
         // Enable all and then disable what we not want
         openssl_h_Compatibility.SSL_set_options(state.ssl, SSL_OP_ALL());
-
-        if (!sslv2) {
-            openssl_h_Compatibility.SSL_set_options(state.ssl, 
SSL_OP_NO_SSLv2());
-        }
+        // Always disable SSLv2
+        openssl_h_Compatibility.SSL_set_options(state.ssl, SSL_OP_NO_SSLv2());
         if (!sslv3) {
             openssl_h_Compatibility.SSL_set_options(state.ssl, 
SSL_OP_NO_SSLv3());
         }
diff --git a/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java 
b/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java
new file mode 100644
index 0000000000..2db6cde512
--- /dev/null
+++ b/test/org/apache/tomcat/util/net/TestSSLHostConfigProtocol.java
@@ -0,0 +1,105 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.net;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+@RunWith(Parameterized.class)
+public class TestSSLHostConfigProtocol extends TomcatBaseTest {
+
+    @Parameterized.Parameters(name = "{0}")
+    public static Collection<Object[]> parameters() {
+        List<Object[]> parameterSets = new ArrayList<>();
+        parameterSets.add(new Object[] {
+                "JSSE", Boolean.FALSE, 
"org.apache.tomcat.util.net.jsse.JSSEImplementation"});
+        parameterSets.add(new Object[] {
+                "OpenSSL", Boolean.TRUE, 
"org.apache.tomcat.util.net.openssl.OpenSSLImplementation"});
+        parameterSets.add(new Object[] {
+                "OpenSSL-FFM", Boolean.TRUE, 
"org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation"});
+
+        return parameterSets;
+    }
+
+    @Parameter(0)
+    public String connectorName;
+
+    @Parameter(1)
+    public boolean useOpenSSL;
+
+    @Parameter(2)
+    public String sslImplementationName;
+
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+
+        Tomcat tomcat = getTomcatInstance();
+
+        // Server-side TLS configuration
+        TesterSupport.initSsl(tomcat);
+        TesterSupport.configureSSLImplementation(tomcat, 
sslImplementationName, useOpenSSL);
+    }
+
+
+    @Test
+    public void testSSLv2() throws Exception {
+        doTestIgnoreProtocol("SSLv2");
+    }
+
+
+    @Test
+    public void testUnknown() throws Exception {
+        doTestIgnoreProtocol("Unknown");
+    }
+
+
+    private void doTestIgnoreProtocol(String protocol) throws Exception {
+        SSLHostConfig sslHostConfig = getSSLHostConfig();
+
+        sslHostConfig.setProtocols("+" + protocol + "+TLSv1.2");
+
+        Tomcat tomcat = getTomcatInstance();
+        tomcat.start();
+
+        // Expect only TLSv1.2 as unrecognised protocol should always be 
disabled
+        String[] enabledProtocols = sslHostConfig.getEnabledProtocols();
+
+        Assert.assertNotNull(enabledProtocols);
+        Assert.assertEquals(1, enabledProtocols.length);
+        Assert.assertEquals("TLSv1.2", enabledProtocols[0]);
+    }
+
+
+    private SSLHostConfig getSSLHostConfig() {
+        Tomcat tomcat = getTomcatInstance();
+        Connector connector = tomcat.getConnector();
+        return connector.findSslHostConfigs()[0];
+    }
+
+}
diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestCipher.java 
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestCipher.java
index 9b9eb5ead7..4753a4814e 100644
--- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestCipher.java
+++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestCipher.java
@@ -362,8 +362,6 @@ public class TestCipher {
                     "AES256-CCM8+TLSv1.2",
                     "ARIA128-GCM-SHA256+TLSv1.2",
                     "ARIA256-GCM-SHA384+TLSv1.2",
-                    "DES-CBC-MD5+SSLv2",
-                    "DES-CBC3-MD5+SSLv2",
                     "DHE-DSS-ARIA128-GCM-SHA256+TLSv1.2",
                     "DHE-DSS-ARIA256-GCM-SHA384+TLSv1.2",
                     "DHE-PSK-AES128-CCM+TLSv1.2",
@@ -403,9 +401,6 @@ public class TestCipher {
                     "ECDHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
                     "ECDHE-RSA-CAMELLIA256-SHA384+TLSv1.2",
                     "ECDHE-RSA-CHACHA20-POLY1305+TLSv1.2",
-                    "EXP-RC2-CBC-MD5+SSLv2",
-                    "EXP-RC4-MD5+SSLv2",
-                    "IDEA-CBC-MD5+SSLv2",
                     "PSK-AES128-CCM+TLSv1.2",
                     "PSK-AES128-CCM8+TLSv1.2",
                     "PSK-AES256-CCM+TLSv1.2",
@@ -415,8 +410,6 @@ public class TestCipher {
                     "PSK-CAMELLIA128-SHA256+TLSv1",
                     "PSK-CAMELLIA256-SHA384+TLSv1",
                     "PSK-CHACHA20-POLY1305+TLSv1.2",
-                    "RC2-CBC-MD5+SSLv2",
-                    "RC4-MD5+SSLv2",
                     "RSA-PSK-ARIA128-GCM-SHA256+TLSv1.2",
                     "RSA-PSK-ARIA256-GCM-SHA384+TLSv1.2",
                     "RSA-PSK-CAMELLIA128-SHA256+TLSv1",
@@ -576,8 +569,6 @@ public class TestCipher {
                     "CAMELLIA256-SHA+SSLv3",
                     "CAMELLIA128-SHA256+TLSv1.2",
                     "CAMELLIA256-SHA256+TLSv1.2",
-                    "DES-CBC-MD5+SSLv2",
-                    "DES-CBC3-MD5+SSLv2",
                     "DH-DSS-AES128-GCM-SHA256+TLSv1.2",
                     "DH-DSS-AES256-GCM-SHA384+TLSv1.2",
                     "DH-DSS-AES128-SHA+SSLv3",
@@ -675,9 +666,6 @@ public class TestCipher {
                     "ECDHE-RSA-CHACHA20-POLY1305+TLSv1.2",
                     "EXP-DH-DSS-DES-CBC-SHA+SSLv3",
                     "EXP-DH-RSA-DES-CBC-SHA+SSLv3",
-                    "EXP-RC2-CBC-MD5+SSLv2",
-                    "EXP-RC4-MD5+SSLv2",
-                    "IDEA-CBC-MD5+SSLv2",
                     "IDEA-CBC-SHA+SSLv3",
                     "PSK-3DES-EDE-CBC-SHA+SSLv3",
                     "PSK-AES128-CBC-SHA+SSLv3",
@@ -699,8 +687,6 @@ public class TestCipher {
                     "PSK-NULL-SHA256+TLSv1",
                     "PSK-NULL-SHA384+TLSv1",
                     "PSK-RC4-SHA+SSLv3",
-                    "RC2-CBC-MD5+SSLv2",
-                    "RC4-MD5+SSLv2",
                     "RSA-PSK-3DES-EDE-CBC-SHA+SSLv3",
                     "RSA-PSK-AES128-CBC-SHA+SSLv3",
                     "RSA-PSK-AES128-CBC-SHA256+TLSv1",
diff --git 
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
 
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 1c2b94644e..06a41f9d42 100644
--- 
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ 
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -286,12 +286,6 @@ public class TestOpenSSLCipherConfigurationParser {
     }
 
 
-    @Test
-    public void testSSLv2() throws Exception {
-        testSpecification("SSLv2");
-    }
-
-
     @Test
     public void testDH() throws Exception {
         testSpecification("DH");
@@ -544,8 +538,8 @@ public class TestOpenSSLCipherConfigurationParser {
 
     @Test
     public void testSpecification02() throws Exception {
-        // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/
-        
testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM");
+        // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/, s/\!SSLv2//)
+        
testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM");
     }
 
 
@@ -571,6 +565,25 @@ public class TestOpenSSLCipherConfigurationParser {
     }
 
 
+    @Test
+    public void testSpecificationIsEmptyNonsense() throws Exception {
+        testSpecificationIsEmpty("Nonsense");
+    }
+
+
+    @Test
+    public void testSpecificationIsEmptySSLv2() throws Exception {
+        testSpecificationIsEmpty("SSLv2");
+    }
+
+
+    private void testSpecificationIsEmpty(String specification) throws 
Exception {
+        String openSSLCipherList = 
TesterOpenSSL.getOpenSSLCiphersAsExpression(specification);
+        Assert.assertEquals("Specification [" + specification + "] returned [" 
+ openSSLCipherList +
+                "] rather than the expected empty list", "", 
openSSLCipherList);
+    }
+
+
     private void testSpecification(String specification) throws Exception {
         // Filter out cipher suites that OpenSSL does not implement
         String openSSLCipherList = 
TesterOpenSSL.getOpenSSLCiphersAsExpression(specification);
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index b43915c4dc..cd9e96f3ac 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1523,8 +1523,7 @@
       based secure connector it will always support <code>SSLv2Hello</code>. 
If a
       single protocol is specified it will not support
       <code>SSLv2Hello</code>.</p>
-      <p>Note that <code>SSLv2</code> and <code>SSLv3</code> are inherently
-      unsafe.</p>
+      <p>Note that <code>SSLv3</code> is inherently unsafe.</p>
       <p>If not specified, the default value of <code>all</code> will be
       used.</p>
     </attribute>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 10.1.x updated: Remove some SSLv2 related code.

Reply via email to