On 10/08/2015 17:17, Christopher Schultz wrote: > Mark, > > On 8/10/15 11:20 AM, [email protected] wrote: >> Author: markt >> Date: Mon Aug 10 15:20:34 2015 >> New Revision: 1695111 >> >> URL: http://svn.apache.org/r1695111 >> Log: >> Fix DEFAULT >> >> Modified: >> >> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java >> >> Modified: >> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1695111&r1=1695110&r2=1695111&view=diff >> ============================================================================== >> --- >> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java >> (original) >> +++ >> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java >> Mon Aug 10 15:20:34 2015 >> @@ -485,13 +485,12 @@ public class OpenSSLCipherConfigurationP >> addListAlias(SRP, filterByKeyExchange(allCiphers, >> Collections.singleton(KeyExchange.SRP))); >> initialized = true; >> // Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2 >> - addListAlias(DEFAULT, parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2")); >> + addListAlias(DEFAULT, parse("ALL:!eNULL:!aNULL:!SSLv2")); > > Do I misunderstand the above? Have you added EXPORT ciphers back into > the DEFAULT ciphers? That really should not be the default. Recent > versions of OpenSSL don't include EXPORT in the "ALL" (I think) unless > specifically requested, but older versions still include them, so we > ought to be very careful and explicitly exclude them.
We are aiming to mimic OpenSSL behaviour and - with the current code - we are doing that for trunk and 1.0.2. OpenSSL trunk includes EXPORT in DEFAULT whereas 1.0.2 does not. Bizarrely, prior to this change the Tomcat code included it in 8.0.x (which is tested with 1.0.2) and excluded it with trunk (which is tested with OpenSSL trunk). This change was triggered by restoring the experimental export ciphers in trunk as OpenSSL 1.0.2 still defines them. I don't think we are ever going to be able to exactly mimic OpenSSL but absent a test case that shows Tomcat doing something that a) OpenSSl doesn't do for a given configuration string and b) is really stupid I'm not going to be too concerned. I'm more concerned about having consistent behaviour of this feature between Tomcat 8.0.x and Tomcat trunk. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
