Mark,
On 10/9/21 04:52, Mark Thomas wrote:
On 08/10/2021 19:34, Farber, Ilja wrote:
Hi all,
I noticed org.apache.tomcat.util.net.openssl.ciphers.Cipher does not
define the cipher suites defined by rfc 6367 and 6209. The ciphers are
listed
https://docs.oracle.com/javase/9/docs/specs/security/standard-names.html
and should be valid for TLS 1.2.
For example TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
The above cipher is 0xC05C and is present in Ciphers.
or TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
The above cipher is 0xC086. As far as I am aware it is neither supported
by Java nor OpenSSL hence it is not present in Ciphers.
Is there a reason, why these cipher suites are not in enum Cipher?
The purpose of the Enum is to map between Java cipher definitions and
OpenSSL cipher definitions. If a cipher is unsupported by both there is
no point including it.
There are Tomcat unit tests that should check for unknown ciphers so I'd
expect any new ciphers to trigger test failures. We do see these from
time to time as OpenSSL adjusts its ciphers so I think they are working
correctly.
If you are aware of a cipher that is supported by any current version of
Java or OpenSSL that is missing from Ciphers and isn't triggering a test
failure then please bring it to our attention.
If the user is using e.g. BouncyCastle, IBM's JRE, Corretto, etc. those
ciphers might be available in those environments. (It looks like BC
supports this cipher suite, but I couldn't find any information on IBM
or Corretto stating one way or the other).
Will them being missing from the Ciphers enum prevent them from being
used at all? OR will it only prevent them from being aliases of each other?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org