On 08/10/2021 19:34, Farber, Ilja wrote:
Hi all,
I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not define the
cipher suites defined by rfc 6367 and 6209. The ciphers are listed
https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html
and should be valid for TLS 1.2.
For example TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
The above cipher is 0xC05C and is present in Ciphers.
or TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
The above cipher is 0xC086. As far as I am aware it is neither supported
by Java nor OpenSSL hence it is not present in Ciphers.
Is there a reason, why these cipher suites are not in enum Cipher?
The purpose of the Enum is to map between Java cipher definitions and
OpenSSL cipher definitions. If a cipher is unsupported by both there is
no point including it.
There are Tomcat unit tests that should check for unknown ciphers so I'd
expect any new ciphers to trigger test failures. We do see these from
time to time as OpenSSL adjusts its ciphers so I think they are working
correctly.
If you are aware of a cipher that is supported by any current version of
Java or OpenSSL that is missing from Ciphers and isn't triggering a test
failure then please bring it to our attention.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
