Author: markt
Date: Tue Aug 11 14:56:56 2015
New Revision: 1695320
URL: http://svn.apache.org/r1695320
Log:
Sync OpenSSL parsing and associated tests with trunk
Modified:
tomcat/tc8.0.x/trunk/build.xml
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Modified: tomcat/tc8.0.x/trunk/build.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/build.xml?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/build.xml (original)
+++ tomcat/tc8.0.x/trunk/build.xml Tue Aug 11 14:56:56 2015
@@ -179,12 +179,9 @@
<property name="test.jvmarg.egd" value="" />
<!-- Location of OpenSSL binary (file name, not directory) -->
+ <!-- The OpenSSL tests cases be disabled by specifing an invalid path here
-->
<property name="test.openssl.path" value="" />
- <!-- Accepted version of OpenSSL. The output of "openssl version"
- must start with "OpenSSL " plus value of this property. -->
- <property name="test.openssl.version" value="1.0.2" />
-
<!-- Include .gitignore in src distributions. -->
<!-- .git and .gitignore are in defaultexcludes since Ant 1.8.2 -->
<defaultexcludes add="**/.git" />
@@ -1438,7 +1435,6 @@
<sysproperty key="tomcat.test.accesslog" value="${test.accesslog}" />
<sysproperty key="tomcat.test.reports" value="${test.reports}" />
<sysproperty key="tomcat.test.openssl.path"
value="${test.openssl.path}" />
- <sysproperty key="tomcat.test.openssl.version"
value="${test.openssl.version}" />
<sysproperty key="tomcat.test.relaxTiming" value="${test.relaxTiming}"
/>
<!-- File for Cobertura to write coverage results to -->
<sysproperty key="net.sourceforge.cobertura.datafile"
file="${cobertura.datafile}" />
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Cipher.java
Tue Aug 11 14:56:56 2015
@@ -4020,7 +4020,7 @@ public enum Cipher {
// RC2_128_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_WITH_MD5(
-1,
- "RC2-MD5",
+ "RC2-CBC-MD5",
KeyExchange.RSA,
Authentication.RSA,
Encryption.RC2,
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
Tue Aug 11 14:56:56 2015
@@ -485,12 +485,13 @@ public class OpenSSLCipherConfigurationP
addListAlias(SRP, filterByKeyExchange(allCiphers,
Collections.singleton(KeyExchange.SRP)));
initialized = true;
// Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
- addListAlias(DEFAULT, parse("ALL:!eNULL:!aNULL:!SSLv2"));
+ addListAlias(DEFAULT, parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2"));
// COMPLEMENTOFDEFAULT is also not exactly as defined by the docs
Set<Cipher> complementOfDefault = filterByKeyExchange(all, new
HashSet<>(Arrays.asList(KeyExchange.EDH,KeyExchange.EECDH)));
complementOfDefault = filterByAuthentication(complementOfDefault,
Collections.singleton(Authentication.aNULL));
complementOfDefault.removeAll(aliases.get(eNULL));
complementOfDefault.addAll(aliases.get(Constants.SSL_PROTO_SSLv2));
+ complementOfDefault.addAll(aliases.get(EXPORT));
addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
}
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestCipher.java
Tue Aug 11 14:56:56 2015
@@ -23,16 +23,10 @@ import java.util.List;
import java.util.Set;
import org.junit.Assert;
-import org.junit.Assume;
-import org.junit.Before;
import org.junit.Test;
public class TestCipher {
- @Before
- public void checkVersion() {
- Assume.assumeTrue(TesterOpenSSL.IS_EXPECTED_VERSION);
- }
/*
* Checks that every cipher suite returned by OpenSSL is mapped to at least
@@ -43,6 +37,7 @@ public class TestCipher {
public void testAllOpenSSLCiphersMapped() throws Exception {
Set<String> openSSLCipherSuites =
TesterOpenSSL.getOpenSSLCiphersAsSet("ALL:eNULL");
+ StringBuilder errors = new StringBuilder();
for (String openSSLCipherSuite : openSSLCipherSuites) {
List<String> jsseCipherSuites =
OpenSSLCipherConfigurationParser.parseExpression(openSSLCipherSuite);
@@ -52,21 +47,22 @@ public class TestCipher {
for (String jsseCipherSuite : jsseCipherSuites) {
if (jsseImpl.getStandardNames().contains(jsseCipherSuite))
{
found = true;
- Assert.assertFalse("Mapping found in " +
jsseImpl.getVendor() +
+ if
(jsseImpl.getOpenSslUnmapped().contains(openSSLCipherSuite)) {
+ errors.append("Mapping found in " +
jsseImpl.getVendor() +
"'s JSSE implementation for " +
openSSLCipherSuite +
- " when none was expected",
-
jsseImpl.getOpenSslUnmapped().contains(openSSLCipherSuite));
+ " when none was expected\n");
+ }
break;
}
}
- if (!found) {
- Assert.assertTrue("No mapping found in " +
jsseImpl.getVendor() +
+ if (!found &&
!jsseImpl.getOpenSslUnmapped().contains(openSSLCipherSuite)) {
+ errors.append("No mapping found in " +
jsseImpl.getVendor() +
"'s JSSE implementation for " + openSSLCipherSuite
+
- " when one was expected",
-
jsseImpl.getOpenSslUnmapped().contains(openSSLCipherSuite));
+ " when one was expected\n");
}
}
}
+ Assert.assertTrue(errors.toString(), errors.length() == 0);
}
@@ -77,49 +73,17 @@ public class TestCipher {
*/
@Test
public void testOpenSSLCipherAvailability() throws Exception {
- Set<String> availableCipherSuites =
TesterOpenSSL.getOpenSSLCiphersAsSet("ALL:eNULL");
+ // OpenSSL 0.9.8 does not include aNULL or eNULL in all.
+ // OpenSSL does not include ECDH/ECDHE ciphers in all and there is no
+ // EC alias. Use aRSA.
+ // OpenSSL 1.0.0 onwards does not include eNULL in all.
+ Set<String> availableCipherSuites =
TesterOpenSSL.getOpenSSLCiphersAsSet("ALL:eNULL:aNULL:aRSA");
Set<String> expectedCipherSuites = new HashSet<>();
for (Cipher cipher : Cipher.values()) {
- String openSSLAlias = cipher.getOpenSSLAlias();
- // OpenSSL does not implement any FORTEZZA algorithms so exclude
- // them from the expected list
- if (openSSLAlias.contains("FZA")) {
- continue;
- }
- // GOST algorithms are not enabled by default and no JSSE
- // implementation supports them so exclude them from the expected
- // list
- if (openSSLAlias.contains("GOST")) {
- continue;
- }
- // OpenSSL does not enable the experimental EXP1024 and
- // DHE-DSS-RC4-SHA cipher suites unless the source is explicitly
- // patched so exclude them from the expected list
- if (openSSLAlias.contains("EXP1024")) {
- continue;
- }
- if (openSSLAlias.contains("DHE-DSS-RC4-SHA")) {
+ if (TesterOpenSSL.OPENSSL_UNIMPLEMENTED_CIPHERS.contains(cipher)) {
continue;
}
- // OpenSSL removed (broken) support for EXP-DH-RSA-DES-CBC-SHA
- // and EXP-DH-DSS-DES-CBC-SHA on 2015-05-23.
- if (openSSLAlias.contains("EXP-DH-")) {
- continue;
- }
- // RC2-MD5 is not referenced in the OpenSSL source so exclude it
- // from the expected list
- if (openSSLAlias.contains("RC2-MD5")) {
- continue;
- }
- // Added in OpenSSL 1.1.0 but the 8.0.x tests are configured for
- // 1.0.2
- if (cipher.getProtocol().equals(Protocol.TLSv1_2) &&
- (cipher.getEnc().equals(Encryption.CAMELLIA256) ||
- cipher.getEnc().equals(Encryption.CAMELLIA128)||
- cipher.getAu().equals(Authentication.PSK))) {
- continue;
- }
- expectedCipherSuites.add(openSSLAlias + "+" +
+ expectedCipherSuites.add(cipher.getOpenSSLAlias() + "+" +
cipher.getProtocol().getOpenSSLName());
}
@@ -396,11 +360,27 @@ public class TestCipher {
Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
"DES-CBC-MD5+SSLv2",
"DES-CBC3-MD5+SSLv2",
+ "DHE-PSK-CAMELLIA128-SHA256+SSLv3",
+ "DHE-PSK-CAMELLIA256-SHA384+SSLv3",
+ "ECDH-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDH-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDH-RSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDH-RSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDHE-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-PSK-CAMELLIA128-SHA256+SSLv3",
+ "ECDHE-PSK-CAMELLIA256-SHA384+SSLv3",
+ "ECDHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDHE-RSA-CAMELLIA256-SHA384+TLSv1.2",
"EXP-RC2-CBC-MD5+SSLv2",
"EXP-RC4-MD5+SSLv2",
"IDEA-CBC-MD5+SSLv2",
+ "PSK-CAMELLIA128-SHA256+SSLv3",
+ "PSK-CAMELLIA256-SHA384+SSLv3",
"RC2-CBC-MD5+SSLv2",
- "RC4-MD5+SSLv2")));
+ "RC4-MD5+SSLv2",
+ "RSA-PSK-CAMELLIA128-SHA256+SSLv3",
+ "RSA-PSK-CAMELLIA256-SHA384+SSLv3")));
/**
@@ -539,9 +519,13 @@ public class TestCipher {
Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
"ADH-CAMELLIA128-SHA+SSLv3",
"ADH-CAMELLIA256-SHA+SSLv3",
+ "ADH-CAMELLIA128-SHA256+TLSv1.2",
+ "ADH-CAMELLIA256-SHA256+TLSv1.2",
"ADH-SEED-SHA+SSLv3",
"CAMELLIA128-SHA+SSLv3",
"CAMELLIA256-SHA+SSLv3",
+ "CAMELLIA128-SHA256+TLSv1.2",
+ "CAMELLIA256-SHA256+TLSv1.2",
"DES-CBC-MD5+SSLv2",
"DES-CBC3-MD5+SSLv2",
"DH-DSS-AES128-GCM-SHA256+TLSv1.2",
@@ -551,7 +535,9 @@ public class TestCipher {
"DH-DSS-AES256-SHA+SSLv3",
"DH-DSS-AES256-SHA256+TLSv1.2",
"DH-DSS-CAMELLIA128-SHA+SSLv3",
+ "DH-DSS-CAMELLIA128-SHA256+TLSv1.2",
"DH-DSS-CAMELLIA256-SHA+SSLv3",
+ "DH-DSS-CAMELLIA256-SHA256+TLSv1.2",
"DH-DSS-DES-CBC-SHA+SSLv3",
"DH-DSS-DES-CBC3-SHA+SSLv3",
"DH-DSS-SEED-SHA+SSLv3",
@@ -562,16 +548,54 @@ public class TestCipher {
"DH-RSA-AES256-SHA+SSLv3",
"DH-RSA-AES256-SHA256+TLSv1.2",
"DH-RSA-CAMELLIA128-SHA+SSLv3",
+ "DH-RSA-CAMELLIA128-SHA256+TLSv1.2",
"DH-RSA-CAMELLIA256-SHA+SSLv3",
+ "DH-RSA-CAMELLIA256-SHA256+TLSv1.2",
"DH-RSA-DES-CBC-SHA+SSLv3",
"DH-RSA-DES-CBC3-SHA+SSLv3",
"DH-RSA-SEED-SHA+SSLv3",
"DHE-DSS-CAMELLIA128-SHA+SSLv3",
+ "DHE-DSS-CAMELLIA128-SHA256+TLSv1.2",
"DHE-DSS-CAMELLIA256-SHA+SSLv3",
+ "DHE-DSS-CAMELLIA256-SHA256+TLSv1.2",
"DHE-DSS-SEED-SHA+SSLv3",
+ "DHE-PSK-3DES-EDE-CBC-SHA+SSLv3",
+ "DHE-PSK-AES128-CBC-SHA+SSLv3",
+ "DHE-PSK-AES128-CBC-SHA256+SSLv3",
+ "DHE-PSK-AES128-GCM-SHA256+TLSv1.2",
+ "DHE-PSK-AES256-CBC-SHA+SSLv3",
+ "DHE-PSK-AES256-CBC-SHA384+SSLv3",
+ "DHE-PSK-AES256-GCM-SHA384+TLSv1.2",
+ "DHE-PSK-CAMELLIA128-SHA256+SSLv3",
+ "DHE-PSK-CAMELLIA256-SHA384+SSLv3",
+ "DHE-PSK-NULL-SHA+SSLv3",
+ "DHE-PSK-NULL-SHA256+SSLv3",
+ "DHE-PSK-NULL-SHA384+SSLv3",
+ "DHE-PSK-RC4-SHA+SSLv3",
"DHE-RSA-CAMELLIA128-SHA+SSLv3",
+ "DHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
"DHE-RSA-CAMELLIA256-SHA+SSLv3",
+ "DHE-RSA-CAMELLIA256-SHA256+TLSv1.2",
"DHE-RSA-SEED-SHA+SSLv3",
+ "ECDH-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDH-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDH-RSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDH-RSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-ECDSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDHE-ECDSA-CAMELLIA256-SHA384+TLSv1.2",
+ "ECDHE-PSK-3DES-EDE-CBC-SHA+SSLv3",
+ "ECDHE-PSK-AES128-CBC-SHA+SSLv3",
+ "ECDHE-PSK-AES128-CBC-SHA256+SSLv3",
+ "ECDHE-PSK-AES256-CBC-SHA+SSLv3",
+ "ECDHE-PSK-AES256-CBC-SHA384+SSLv3",
+ "ECDHE-PSK-CAMELLIA128-SHA256+SSLv3",
+ "ECDHE-PSK-CAMELLIA256-SHA384+SSLv3",
+ "ECDHE-PSK-NULL-SHA+SSLv3",
+ "ECDHE-PSK-NULL-SHA256+SSLv3",
+ "ECDHE-PSK-NULL-SHA384+SSLv3",
+ "ECDHE-PSK-RC4-SHA+SSLv3",
+ "ECDHE-RSA-CAMELLIA128-SHA256+TLSv1.2",
+ "ECDHE-RSA-CAMELLIA256-SHA384+TLSv1.2",
"EXP-DH-DSS-DES-CBC-SHA+SSLv3",
"EXP-DH-RSA-DES-CBC-SHA+SSLv3",
"EXP-RC2-CBC-MD5+SSLv2",
@@ -580,10 +604,32 @@ public class TestCipher {
"IDEA-CBC-SHA+SSLv3",
"PSK-3DES-EDE-CBC-SHA+SSLv3",
"PSK-AES128-CBC-SHA+SSLv3",
+ "PSK-AES128-CBC-SHA256+SSLv3",
+ "PSK-AES128-GCM-SHA256+TLSv1.2",
"PSK-AES256-CBC-SHA+SSLv3",
+ "PSK-AES256-CBC-SHA384+SSLv3",
+ "PSK-AES256-GCM-SHA384+TLSv1.2",
+ "PSK-CAMELLIA128-SHA256+SSLv3",
+ "PSK-CAMELLIA256-SHA384+SSLv3",
+ "PSK-NULL-SHA+SSLv3",
+ "PSK-NULL-SHA256+SSLv3",
+ "PSK-NULL-SHA384+SSLv3",
"PSK-RC4-SHA+SSLv3",
"RC2-CBC-MD5+SSLv2",
"RC4-MD5+SSLv2",
+ "RSA-PSK-3DES-EDE-CBC-SHA+SSLv3",
+ "RSA-PSK-AES128-CBC-SHA+SSLv3",
+ "RSA-PSK-AES128-CBC-SHA256+SSLv3",
+ "RSA-PSK-AES128-GCM-SHA256+TLSv1.2",
+ "RSA-PSK-AES256-CBC-SHA+SSLv3",
+ "RSA-PSK-AES256-CBC-SHA384+SSLv3",
+ "RSA-PSK-AES256-GCM-SHA384+TLSv1.2",
+ "RSA-PSK-CAMELLIA128-SHA256+SSLv3",
+ "RSA-PSK-CAMELLIA256-SHA384+SSLv3",
+ "RSA-PSK-NULL-SHA+SSLv3",
+ "RSA-PSK-NULL-SHA256+SSLv3",
+ "RSA-PSK-NULL-SHA384+SSLv3",
+ "RSA-PSK-RC4-SHA+SSLv3",
"SEED-SHA+SSLv3",
"SRP-AES-128-CBC-SHA+SSLv3",
"SRP-AES-256-CBC-SHA+SSLv3",
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
Tue Aug 11 14:56:56 2015
@@ -19,41 +19,64 @@ package org.apache.tomcat.util.net.jsse.
import java.util.List;
import org.junit.Assert;
-import org.junit.Assume;
-import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
public class TestOpenSSLCipherConfigurationParser {
- @Before
- public void checkVersion() {
- Assume.assumeTrue(TesterOpenSSL.IS_EXPECTED_VERSION);
- }
-
-
@Test
public void testDEFAULT() throws Exception {
- testSpecification("DEFAULT");
+ // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old
+ // behaviour
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA:!SSLv2:!eNULL as an EC alias isn't available)
+ testSpecification("DEFAULT:!EXPORT:aRSA:!SSLv2:!eNULL");
+ } else {
+ testSpecification("DEFAULT:!EXPORT");
+ }
}
@Test
public void testCOMPLEMENTOFDEFAULT() throws Exception {
- testSpecification("COMPLEMENTOFDEFAULT");
+ // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old
+ // behaviour
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL");
+ } else {
+ testSpecification("COMPLEMENTOFDEFAULT:EXPORT");
+ }
}
@Test
public void testALL() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled whereas
+ // later versions include it.
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA:kECDHr as an EC alias isn't available)
+ testSpecification("ALL:aNULL:aRSA:kECDHr");
+ } else {
testSpecification("ALL");
}
+ }
@Test
public void testCOMPLEMENTOFALL() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled whereas
+ // later versions include it.
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA:kECDHr as an EC alias isn't available)
+ testSpecification("COMPLEMENTOFALL:!aNULL:!aRSA:!kECDHr");
+ } else {
testSpecification("COMPLEMENTOFALL");
}
+ }
@Test
@@ -64,20 +87,57 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testeNULL() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("eNULL:eNULL+aNULL:eNULL+aRSA");
+ } else {
testSpecification("eNULL");
}
+ }
@Test
public void testHIGH() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 describes the following ciphers as HIGH whereas
+ // later versions use MEDIUM
+ // TLS_ECDH_anon_WITH_RC4_128_SHA (AECDH-RC4-SHA)
+ // TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)
+ // TLS_ECDH_RSA_WITH_RC4_128_SHA (ECDH-RSA-RC4-SHA)
+ // TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA)
+ // TLS_ECDH_RSA_WITH_NULL_SHA (ECDH-RSA-NULL-SHA)
+ //
+ // OpenSSL 0.9.8 describes TLS_ECDH_anon_WITH_NULL_SHA
+ // (AECDH-NULL-SHA) as HIGH whereas later versions use STRONG_NONE
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("HIGH:HIGH+aNULL:HIGH+aRSA:" +
+
"!AECDH-RC4-SHA:!ECDHE-RSA-RC4-SHA:!ECDH-RSA-RC4-SHA:!ECDHE-RSA-NULL-SHA:!ECDH-RSA-NULL-SHA:"
+
+ "!AECDH-NULL-SHA");
+ } else {
testSpecification("HIGH");
}
+ }
@Test
public void testMEDIUM() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 describes the following ciphers as HIGH whereas
+ // later versions use MEDIUM
+ // TLS_ECDH_anon_WITH_RC4_128_SHA (AECDH-RC4-SHA)
+ // TLS_ECDHE_RSA_WITH_RC4_128_SHA (ECDHE-RSA-RC4-SHA)
+ // TLS_ECDH_RSA_WITH_RC4_128_SHA (ECDH-RSA-RC4-SHA)
+ // TLS_ECDHE_RSA_WITH_NULL_SHA (ECDHE-RSA-NULL-SHA)
+ // TLS_ECDH_RSA_WITH_NULL_SHA (ECDH-RSA-NULL-SHA)
+
testSpecification("MEDIUM:AECDH-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-NULL-SHA:ECDH-RSA-NULL-SHA");
+ } else {
testSpecification("MEDIUM");
}
+ }
@Test
@@ -106,8 +166,13 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testaRSA() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 treats kECDHr as aRSA
+ testSpecification("aRSA:kECDHr");
+ } else {
testSpecification("aRSA");
}
+ }
@Test
@@ -124,20 +189,29 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testkDHE() throws Exception {
+ // This alias was introduced in 1.0.2
+ if (TesterOpenSSL.VERSION >= 10002) {
testSpecification("kDHE");
}
+ }
@Test
public void testEDH() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("EDH");
}
+ }
@Test
public void testDHE() throws Exception {
+ // This alias was introduced in 1.0.2
+ if (TesterOpenSSL.VERSION >= 10002) {
testSpecification("DHE");
}
+ }
@Test
@@ -160,8 +234,11 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testkECDHr() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("kECDHr");
}
+ }
@Test
@@ -172,20 +249,29 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testkECDH() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("kECDH");
}
+ }
@Test
public void testkEECDH() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("kEECDH");
}
+ }
@Test
public void testECDH() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("ECDH");
}
+ }
@Test
@@ -211,8 +297,11 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testAECDH() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("AECDH");
}
+ }
@Test
@@ -229,8 +318,11 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testaECDH() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("aECDH");
}
+ }
@Test
@@ -277,8 +369,15 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testTLSv1() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("TLSv1:TLSv1+aNULL:TLSv1+aRSA");
+ } else {
testSpecification("TLSv1");
}
+ }
@Test
@@ -289,8 +388,15 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testSSLv3() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("SSLv3:SSLv3+aNULL:SSLv3+aRSA");
+ } else {
testSpecification("SSLv3");
}
+ }
@Test
@@ -307,20 +413,33 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testAES128() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("AES128");
}
+ }
@Test
public void testAES256() throws Exception {
+ // This alias was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("AES256");
}
+ }
@Test
public void testAES() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("AES:AES+aNULL:AES+aRSA");
+ } else {
testSpecification("AES");
}
+ }
@Test
@@ -349,8 +468,15 @@ public class TestOpenSSLCipherConfigurat
@Test
public void test3DES() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("3DES:3DES+aNULL:3DES+aRSA");
+ } else {
testSpecification("3DES");
}
+ }
@Test
@@ -361,8 +487,13 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testRC4() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ testSpecification("RC4:RC4+aNULL:RC4+aRSA");
+ } else {
testSpecification("RC4");
}
+ }
@Test
@@ -391,14 +522,28 @@ public class TestOpenSSLCipherConfigurat
@Test
public void testSHA1() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("SHA1:SHA1+aNULL:SHA1+aRSA");
+ } else {
testSpecification("SHA1");
}
+ }
@Test
public void testSHA() throws Exception {
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA as an EC alias isn't available)
+ testSpecification("SHA:SHA+aNULL:SHA+aRSA");
+ } else {
testSpecification("SHA");
}
+ }
@Test
@@ -468,23 +613,36 @@ public class TestOpenSSLCipherConfigurat
// Tomcat 8 default as of 2014-08-04
// This gets an A- from https://www.ssllabs.com/ssltest with no FS for
// a number of the reference browsers
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA:kECDHr as an EC alias isn't available)
+
testSpecification("HIGH:aRSA:kECDHr:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+ } else {
testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
}
+ }
@Test
public void testSpecification02() throws Exception {
// Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/
-
testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:MEDIUM");
+ if (TesterOpenSSL.VERSION < 10000) {
+ // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
+ // (using aRSA:kECDHr as an EC alias isn't available)
+ } else {
+
testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM");
+ }
}
@Test
public void testSpecification03() throws Exception {
// Reported as failing during 8.0.11 release vote by Ognjen Blagojevic
+ // EDH was introduced in 1.0.0
+ if (TesterOpenSSL.VERSION >= 10000) {
testSpecification("EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS");
}
-
+ }
private void testSpecification(String specification) throws Exception {
// Filter out cipher suites that OpenSSL does not implement
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParserOnly.java
Tue Aug 11 14:56:56 2015
@@ -66,4 +66,14 @@ public class TestOpenSSLCipherConfigurat
Assert.assertEquals(expected.toString(), result.toString());
}
+ @Test
+ public void testRename01() throws Exception {
+ // EDH -> DHE
+ LinkedHashSet<Cipher> result =
+
OpenSSLCipherConfigurationParser.parse("EXP-EDH-DSS-DES-CBC-SHA");
+ LinkedHashSet<Cipher> expected = new LinkedHashSet<>();
+ expected.add(Cipher.TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA);
+
+ Assert.assertEquals(expected, result);
+ }
}
Modified:
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java?rev=1695320&r1=1695319&r2=1695320&view=diff
==============================================================================
---
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
(original)
+++
tomcat/tc8.0.x/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TesterOpenSSL.java
Tue Aug 11 14:56:56 2015
@@ -19,7 +19,6 @@ package org.apache.tomcat.util.net.jsse.
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
@@ -30,59 +29,262 @@ import org.apache.tomcat.util.http.fileu
public class TesterOpenSSL {
- public static final boolean IS_EXPECTED_VERSION;
-
- public static final Set<Cipher> OPENSSL_UNIMPLEMENTED_CIPHERS =
- Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
- // The following ciphers are not implemented in an OpenSSL
- // version
- Cipher.TLS_DHE_DSS_WITH_RC4_128_SHA,
- Cipher.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
- Cipher.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
- Cipher.TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
- Cipher.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
- Cipher.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
- Cipher.TLS_RSA_EXPORT1024_WITH_RC4_56_MD5,
- // The following ciphers are implemented in OpenSSL 1.1.0
- // but not earlier
- Cipher.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- Cipher.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
- Cipher.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- Cipher.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
- Cipher.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- Cipher.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
- Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
- Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
- Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
- Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
- Cipher.TLS_PSK_WITH_AES_128_GCM_SHA256,
- Cipher.TLS_PSK_WITH_AES_256_GCM_SHA384,
- // The following have been removed from OpenSSL on
2015-05-23
- Cipher.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
- Cipher.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA)));
+ public static final int VERSION;
+ public static final Set<Cipher> OPENSSL_UNIMPLEMENTED_CIPHERS;
static {
- // Note: The tests are configured for OpenSSL 1.0.2 stable branch.
- // Running with a different version is likely to trigger
failures.
- String expected_version =
System.getProperty("tomcat.test.openssl.version", "");
+ // Note: The tests are configured for the OpenSSL 1.1.0 development
+ // branch. Running with a different version is likely to trigger
+ // failures.
String versionString = null;
try {
versionString = executeOpenSSLCommand("version");
} catch (IOException e) {
versionString = "";
}
- IS_EXPECTED_VERSION = versionString.startsWith("OpenSSL " +
expected_version);
+ if (versionString.startsWith("OpenSSL 1.1.0")) {
+ VERSION = 10100;
+ } else if (versionString.startsWith("OpenSSL 1.0.2")) {
+ VERSION = 10002;
+ } else if (versionString.startsWith("OpenSSL 1.0.1")) {
+ VERSION = 10001;
+ } else if (versionString.startsWith("OpenSSL 1.0.0")) {
+ VERSION = 10000;
+ } else if (versionString.startsWith("OpenSSL 0.9.8")) {
+ VERSION = 908;
+ } else {
+ // Unknown OpenSSL version
+ throw new IllegalStateException("Unknown OpenSSL version " +
versionString);
+ }
+
+ HashSet<Cipher> unimplemented = new HashSet<>();
+
+ // Note: The following lists are intended to be aligned with the most
+ // recent release of each OpenSSL release branch
+
+ // These have been removed from all supported versions.
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5);
+ unimplemented.add(Cipher.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_RC4_56_MD5);
+
+ if (VERSION < 10000) {
+ // These were implemented in 1.0.0 so won't be available in any
+ // earlier version
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_NULL_SHA);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_PSK_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_PSK_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_SEED_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_SEED_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_SEED_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_WITH_SEED_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_NULL_SHA);
+ unimplemented.add(Cipher.TLS_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_PSK_WITH_3DES_EDE_CBC_SHA);
+ } else {
+ // These were removed in 1.0.0 so won't be available from that
+ // version onwards.
+ // None at present.
+ }
+
+
+ if (VERSION < 10001) {
+ // These were added in 1.0.1 so won't be available in any earlier
+ // version
+ unimplemented.add(Cipher.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_RSA_WITH_AES_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_WITH_NULL_SHA256);
+ } else {
+ // These were removed in 1.0.1 so won't be available from that
+ // version onwards.
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_RC4_56_MD5);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_EXPORT1024_WITH_RC4_56_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_RC4_128_SHA);
+ }
+
+ if (VERSION < 10002) {
+ // These were implemented in 1.0.2 so won't be available in any
+ // earlier version
+ unimplemented.add(Cipher.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_AES_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_SEED_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_AES_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_DES_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_SEED_CBC_SHA);
+
+ } else {
+ // These were removed in 1.0.2 so won't be available from that
+ // version onwards.
+ unimplemented.add(Cipher.TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA);
+ }
+
+ if (VERSION < 10100) {
+ // These were implemented in 1.1.0 so won't be available in any
+ // earlier version
+ unimplemented.add(Cipher.TLS_PSK_WITH_NULL_SHA);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_NULL_SHA);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_NULL_SHA);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_PSK_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_PSK_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_PSK_WITH_NULL_SHA256);
+ unimplemented.add(Cipher.TLS_PSK_WITH_NULL_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_NULL_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_NULL_SHA384);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_NULL_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_NULL_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_RC4_128_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_NULL_SHA);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_NULL_SHA256);
+ unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_NULL_SHA384);
+ unimplemented.add(Cipher.TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384);
+
unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384);
+
unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384);
+
unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384);
+
unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384);
+
unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256);
+ unimplemented.add(Cipher.TLS_PSK_WITH_AES_128_GCM_SHA256);
+ unimplemented.add(Cipher.TLS_PSK_WITH_AES_256_GCM_SHA384);
+ unimplemented.add(Cipher.TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256);
+ } else {
+ // These were removed in 1.1.0 so won't be available from that
+ // version onwards.
+ unimplemented.add(Cipher.SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5);
+ unimplemented.add(Cipher.SSL_CK_RC4_128_WITH_MD5);
+ unimplemented.add(Cipher.SSL2_DES_192_EDE3_CBC_WITH_MD5);
+ unimplemented.add(Cipher.SSL2_DES_64_CBC_WITH_MD5);
+ unimplemented.add(Cipher.SSL2_IDEA_128_CBC_WITH_MD5);
+ unimplemented.add(Cipher.SSL2_RC4_128_EXPORT40_WITH_MD5);
+ unimplemented.add(Cipher.SSL_CK_RC2_128_CBC_WITH_MD5);
+ }
+ OPENSSL_UNIMPLEMENTED_CIPHERS =
Collections.unmodifiableSet(unimplemented);
}
@@ -107,7 +309,11 @@ public class TesterOpenSSL {
if (specification == null) {
stdout = executeOpenSSLCommand("ciphers", "-v");
} else {
+ if (VERSION < 10000) {
stdout = executeOpenSSLCommand("ciphers", "-v", specification);
+ } else {
+ stdout = executeOpenSSLCommand("ciphers", "-v", specification);
+ }
}
if (stdout.length() == 0) {
@@ -120,6 +326,8 @@ public class TesterOpenSSL {
// OpenSSL should have returned one cipher per line
String ciphers[] = stdout.split("\n");
for (String cipher : ciphers) {
+ // Handle rename for 1.1.0 onwards
+ cipher = cipher.replaceAll("EDH", "DHE");
if (first) {
first = false;
} else {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
