[Bug 69964] New: Tomcat 10.1.52 (9.0.115 as well) does not respect cipher's order

Mon, 02 Mar 2026 07:15:00 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69964

            Bug ID: 69964
           Summary: Tomcat 10.1.52 (9.0.115 as well) does not respect
                    cipher's order
           Product: Tomcat 10
           Version: 10.1.52
          Hardware: All
                OS: All
            Status: NEW
          Severity: regression
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ------

Created attachment 40154
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=40154&action=edit
archive contains test, pom and screenshots mentioned in the bug description

Hello,
I am observing the connectivity regression of version 10.1.52 in comparison
with version 10.1.50 (same for 9.0.115 vs 9.0.110).
The cypher's order support is not preserved. 
I am performing the call

openssl s_client -connect localhost:8115 -no_tls1_3 -cipher
AES128-SHA256:AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256

and expecting that the same cipher will be accepted.

The accepted cipher is different when different Tomcat versions are used. (see
attached screenshots cipher_accept_tomcat_10.1.52 and
cipher_accept_tomcat_10.1.50)

Attached the test and pom.xml.

I made some additional tests and found that the problem is in the
implementation of getJsseCipherNames routine
(org\apache\tomcat\tomcat-coyote\10.1.50\tomcat-coyote-10.1.50.jar!\org\apache\tomcat\util\net\SSLHostConfig.class).

This function produces a different order for TLSv1.2 ciphers (see attached
screenshots  getJsseCipherNames_result_tomcat_10.1.50 and
getJsseCipherNames_result_tomcat_10.1.52)

The reason is the use of HashSet as a temporary name container. This container
does not preserve the input vs output order.
Set<Cipher> jsseCiphers = new HashSet();


As I mentioned same problem appears in version 9.0.115. I did not test other
versions.

Thank you for your cooperation. Kind Regards,
Michael

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to