Refactor TLS 1.3 cipher suite configuration support

markt-asf · markt-asf · commit f60eafc1176e · 2025-12-19T13:21:53.000Z
Align SSL and SSLContext implementations
diff --git a/native/src/ssl.c b/native/src/ssl.c
@@ -1120,32 +1120,87 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getCiphers)(TCN_STDARGS, jlong ssl)
 }
 
 TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuites)(TCN_STDARGS, jlong ssl,
-                                                         jstring ciphers)
+                                                         jstring cipherList)
 {
-    jboolean rv = JNI_TRUE;
     SSL *ssl_ = J2P(ssl, SSL *);
-    TCN_ALLOC_CSTRING(ciphers);
-
-    UNREFERENCED_STDARGS;
+    TCN_ALLOC_CSTRING(cipherList);
+    jboolean rv = JNI_TRUE;
+    #ifndef HAVE_EXPORT_CIPHERS
+        size_t len;
+        char *buf;
+    #endif
+    UNREFERENCED(o);
 
     if (ssl_ == NULL) {
-        TCN_FREE_CSTRING(ciphers);
+        TCN_FREE_CSTRING(cipherList);
         tcn_ThrowException(e, "ssl is null");
         return JNI_FALSE;
     }
 
+    if (!J2S(cipherList)) {
+        rv = JNI_FALSE;
+        goto free_cipherList;
+    }
+
+#ifndef HAVE_EXPORT_CIPHERS
+    /*
+     *  Always disable NULL and export ciphers,
+     *  no matter what was given in the config.
+     */
+    len = strlen(J2S(cipherList)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+    buf = malloc(len * sizeof(char *));
+    if (buf == NULL) {
+        rv = JNI_FALSE;
+        goto free_cipherList;
+    }
+    memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
+    memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(cipherList), strlen(J2S(cipherList)));
+    buf[len - 1] = '\0';
+    if (!SSL_set_cipher_list(ssl_, buf)) {
+#else
+    if (!SSL_set_cipher_list(ssl_, J2S(cipherList))) {
+#endif
+        char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+        ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH);
+        tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
+        rv = JNI_FALSE;
+    }
+#ifndef HAVE_EXPORT_CIPHERS
+    free(buf);
+#endif
+free_cipherList:
+    TCN_FREE_CSTRING(cipherList);
+    return rv;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSL, setCipherSuitesEx)(TCN_STDARGS, jlong ssl,
+                                                         jstring cipherSuites)
+{
+    SSL *ssl_ = J2P(ssl, SSL *);
+    TCN_ALLOC_CSTRING(cipherSuites);
+    jboolean rv = JNI_TRUE;
     UNREFERENCED(o);
-    if (!J2S(ciphers)) {
-        TCN_FREE_CSTRING(ciphers);
+
+    if (ssl_ == NULL) {
+        TCN_FREE_CSTRING(cipherSuites);
+        tcn_ThrowException(e, "ssl is null");
         return JNI_FALSE;
     }
-    if (!SSL_set_cipher_list(ssl_, J2S(ciphers))) {
+
+    if (!J2S(cipherSuites)) {
+        rv = JNI_FALSE;
+        goto free_cipherSuites;
+    }
+
+    if (!SSL_set_ciphersuites(ssl_, J2S(cipherSuites))) {
         char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
         ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH);
-        tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
+        tcn_Throw(e, "Unable to configure permitted SSL cipher suites (%s)", err);
         rv = JNI_FALSE;
     }
-    TCN_FREE_CSTRING(ciphers);
+
+free_cipherSuites:
+    TCN_FREE_CSTRING(cipherSuites);
     return rv;
 }
 
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
@@ -513,54 +513,46 @@ TCN_IMPLEMENT_CALL(void, SSLContext, setQuietShutdown)(TCN_STDARGS, jlong ctx,
 }
 
 TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
-                                                         jstring ciphers)
+                                                         jstring cipherList)
 {
     tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
-    TCN_ALLOC_CSTRING(ciphers);
+    TCN_ALLOC_CSTRING(cipherList);
     jboolean rv = JNI_TRUE;
-    int minProtoVer = 0;
-    int maxProtoVer = 0;
-    int ciphersSet = 0;
 #ifndef HAVE_EXPORT_CIPHERS
     size_t len;
     char *buf;
 #endif
-
     UNREFERENCED(o);
-    TCN_ASSERT(ctx != 0);
-    if (!J2S(ciphers))
+
+    if (c == NULL) {
+        TCN_FREE_CSTRING(cipherList);
+        tcn_ThrowException(e, "ssl context is null");
         return JNI_FALSE;
+    }
 
-    minProtoVer = SSL_CTX_get_min_proto_version(c->ctx);
-    maxProtoVer = SSL_CTX_get_max_proto_version(c->ctx);
+    if (!J2S(cipherList)) {
+        rv = JNI_FALSE;
+        goto free_cipherList;
+    }
 
 #ifndef HAVE_EXPORT_CIPHERS
     /*
      *  Always disable NULL and export ciphers,
      *  no matter what was given in the config.
      */
-    len = strlen(J2S(ciphers)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
+    len = strlen(J2S(cipherList)) + strlen(SSL_CIPHERS_ALWAYS_DISABLED) + 1;
     buf = malloc(len * sizeof(char *));
-    if (buf == NULL)
-        return JNI_FALSE;
+    if (buf == NULL) {
+        rv = JNI_FALSE;
+        goto free_cipherList;
+    }
     memcpy(buf, SSL_CIPHERS_ALWAYS_DISABLED, strlen(SSL_CIPHERS_ALWAYS_DISABLED));
-    memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(ciphers), strlen(J2S(ciphers)));
+    memcpy(buf + strlen(SSL_CIPHERS_ALWAYS_DISABLED), J2S(cipherList), strlen(J2S(cipherList)));
     buf[len - 1] = '\0';
+    if (!SSL_CTX_set_cipher_list(c->ctx, buf)) {
 #else
-    buf = (char*)J2S(ciphers);
+    if (!SSL_CTX_set_cipher_list(c->ctx, J2S(cipherList))) {
 #endif
-    /* OpenSSL will ignore any unknown cipher, but TLS 1.3 requires a call to SSL_CTX_set_ciphersuites */
-    if (minProtoVer <= TLS1_2_VERSION) {
-        if (SSL_CTX_set_cipher_list(c->ctx, buf)) {
-            ciphersSet = 1;
-        }
-    }
-    if (maxProtoVer >= TLS1_3_VERSION) {
-        if (SSL_CTX_set_ciphersuites(c->ctx, buf)) {
-            ciphersSet = 1;
-        }
-    }
-    if (!ciphersSet) {
         char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
         ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH);
         tcn_Throw(e, "Unable to configure permitted SSL ciphers (%s)", err);
@@ -569,7 +561,39 @@ TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuite)(TCN_STDARGS, jlong ctx,
 #ifndef HAVE_EXPORT_CIPHERS
     free(buf);
 #endif
-    TCN_FREE_CSTRING(ciphers);
+free_cipherList:
+    TCN_FREE_CSTRING(cipherList);
+    return rv;
+}
+
+TCN_IMPLEMENT_CALL(jboolean, SSLContext, setCipherSuitesEx)(TCN_STDARGS, jlong ctx,
+                                                         jstring cipherSuites)
+{
+    tcn_ssl_ctxt_t *c = J2P(ctx, tcn_ssl_ctxt_t *);
+    TCN_ALLOC_CSTRING(cipherSuites);
+    jboolean rv = JNI_TRUE;
+    UNREFERENCED(o);
+
+    if (c == NULL) {
+        TCN_FREE_CSTRING(cipherSuites);
+        tcn_ThrowException(e, "ssl context is null");
+        return JNI_FALSE;
+    }
+
+    if (!J2S(cipherSuites)) {
+        rv = JNI_FALSE;
+        goto free_cipherSuites;
+    }
+
+    if (SSL_CTX_set_ciphersuites(c->ctx, J2S(cipherSuites))) {
+        char err[TCN_OPENSSL_ERROR_STRING_LENGTH];
+        ERR_error_string_n(SSL_ERR_get(), err, TCN_OPENSSL_ERROR_STRING_LENGTH);
+        tcn_Throw(e, "Unable to configure permitted SSL cipher suites (%s)", err);
+        rv = JNI_FALSE;
+    }
+
+free_cipherSuites:
+    TCN_FREE_CSTRING(cipherSuites);
     return rv;
 }
 
diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml
@@ -32,8 +32,15 @@
   </p>
 </section>
 <section name="Changes in 2.0.12">
+  <changelog>
+    <fix>
+      Refactor the addition of TLS 1.3 cipher suite configuration to avoid a
+      regression when running a version of Tomcat that pre-dates this change.
+      (markt)
+    </fix>
+  </changelog>
 </section>
-<section name="Changes in 2.0.11">
+<section name="Changes in 2.0.11 (not released)">
   <changelog>
     <fix>
       Fix a reference to an uninitialized variable. (schultz)
