This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 2630e5cb4d Fix processing of @STRENGTH in OpenSSL format cipher
expressions
2630e5cb4d is described below
commit 2630e5cb4da3c856dc22d81891be13b0807cbc07
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Jun 8 10:03:37 2026 +0100
Fix processing of @STRENGTH in OpenSSL format cipher expressions
---
.../net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 1 -
.../openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 11 +++++++++++
webapps/docs/changelog.xml | 5 +++++
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 1f505dd592..fbbbfd86e4 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -737,7 +737,6 @@ public class OpenSSLCipherConfigurationParser {
}
} else if ("@STRENGTH".equals(element)) {
strengthSort(ciphers);
- break;
} else if (aliases.containsKey(element)) {
add(ciphers, element);
} else if (element.contains(AND)) {
diff --git
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 07f5ead798..41e81cc3e6 100644
---
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -485,6 +485,17 @@ public class TestOpenSSLCipherConfigurationParser {
}
+ @Test
+ public void testSpecification05() throws Exception {
+ if (TesterOpenSSL.VERSION < 30200) {
+ // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium
+ testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL");
+ } else {
+ testSpecification("HIGH:@STRENGTH:!aNULL:!eNULL");
+ }
+ }
+
+
@Test
public void testSpecificationIsEmptyNonsense() throws Exception {
testSpecificationIsEmpty("Nonsense");
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5f6f4f1753..48a77fbbf9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -337,6 +337,11 @@
throw an exception if there is an error loading the provided CRL(s).
(markt)
</fix>
+ <fix>
+ Parsing of OpenSSL format cipher expressions incorrectly stopped if
+ <code>@STRENGTH</code> was encountered, ignoring any subsequent
+ expressions. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
