This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 010a8d606457ed4ac0686dda4f531b29683cc0f5 Author: Mark Thomas <[email protected]> AuthorDate: Mon Jun 8 10:03:37 2026 +0100 Fix processing of @STRENGTH in OpenSSL format cipher expressions --- .../net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 1 - .../openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 11 +++++++++++ webapps/docs/changelog.xml | 5 +++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java index 0f0354f185..b6a860bd01 100644 --- a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java +++ b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java @@ -737,7 +737,6 @@ public class OpenSSLCipherConfigurationParser { } } else if ("@STRENGTH".equals(element)) { strengthSort(ciphers); - break; } else if (aliases.containsKey(element)) { add(ciphers, element); } else if (element.contains(AND)) { diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java index 07f5ead798..41e81cc3e6 100644 --- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java +++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java @@ -485,6 +485,17 @@ public class TestOpenSSLCipherConfigurationParser { } + @Test + public void testSpecification05() throws Exception { + if (TesterOpenSSL.VERSION < 30200) { + // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium + testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL"); + } else { + testSpecification("HIGH:@STRENGTH:!aNULL:!eNULL"); + } + } + + @Test public void testSpecificationIsEmptyNonsense() throws Exception { testSpecificationIsEmpty("Nonsense"); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5234270dfe..c084a0f64e 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -461,6 +461,11 @@ throw an exception if there is an error loading the provided CRL(s). (markt) </fix> + <fix> + Parsing of OpenSSL format cipher expressions incorrectly stopped if + <code>@STRENGTH</code> was encountered, ignoring any subsequent + expressions. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
