From dev-return-194016-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org  Fri Oct 12 10:41:03 2018
Return-Path: <dev-return-194016-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 12120180660
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 12 Oct 2018 10:41:00 +0200 (CEST)
Received: (qmail 62597 invoked by uid 500); 12 Oct 2018 08:40:59 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 62587 invoked by uid 99); 12 Oct 2018 08:40:59 -0000
Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 12 Oct 2018 08:40:59 +0000
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id BDCF93A0189
	for <dev@tomcat.apache.org>; Fri, 12 Oct 2018 08:40:58 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1843628 - in /tomcat/tc8.5.x/trunk: ./
 java/org/apache/tomcat/jni/ java/org/apache/tomcat/util/compat/
 java/org/apache/tomcat/util/net/ java/org/apache/tomcat/util/net/jsse/
 java/org/apache/tomcat/util/net/openssl/ test/org/apache/tomcat/u...
Date: Fri, 12 Oct 2018 08:40:57 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20181012084058.BDCF93A0189@svn01-us-west.apache.org>

Author: markt
Date: Fri Oct 12 08:40:57 2018
New Revision: 1843628

URL: http://svn.apache.org/viewvc?rev=1843628&view=rev
Log:
Back-port TLS 1.3 support

Added:
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/TLS.java
      - copied, changed from r1842656, tomcat/trunk/java/org/apache/tomcat/util/compat/TLS.java
    tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
      - copied, changed from r1843405, tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java
Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSL.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
    tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
    tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Oct 12 08:40:57 2018
@@ -1,2 +1,2 @@
 /tomcat/tc8.0.x/trunk:1809644
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739492,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409
 ,1741501,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744149,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745535,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747
 404,1747506,1747536,1747924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1
 756289,1756408-1756410,1756778,1756798,1756878,1756898,1756939,1757123-1757124,1757126,1757128,1757132-1757133,1757136,1757145,1757167-1757168,1757175,1757180,1757182,1757195,1757271,1757278,1757347,1757353-1757354,1757363,1757374,1757399,1757406,1757408,1757485,1757495,1757499,1757527,1757578,1757684,1757722,1757727,1757790,1757799,1757813,1757853,1757883,1757903,1757976,1757997,1758000,1758058,1758072-1758075,1758078-1758079,1758223,1758257,1758261,1758276,1758292,1758369,1758378-1758383,1758421,1758423,1758425-1758427,1758430,1758443,1758448,1758459,1758483,1758486-1758487,1758499,1758525,1758556,1758580,1758582,1758584,1758588,1758842,1759019,1759212,1759224,1759227,1759252,1759274,1759513-1759516,1759611,1759757,1759785-1759790,1760005,1760022,1760109-1760110,1760135,1760200-1760201,1760227,1760300,1760397,1760446,1760454,1760640,1760648,1761057,1761422,1761491,1761498,1761500-1761501,1761550,1761553,1761572,1761574,1761625-1761626,1761628,1761682,1761740,1761752,1762051-176205
 3,1762123,1762168,1762172,1762182,1762201-1762202,1762204,1762208,1762288,1762296,1762324,1762348,1762353,1762362,1762374,1762492,1762503,1762505,1762541,1762608,1762710,1762753,1762766,1762769,1762944,1762947,1762953,1763167,1763179,1763232,1763259,1763271-1763272,1763276-1763277,1763319-1763320,1763370,1763372,1763375,1763377,1763393,1763412,1763430,1763450,1763462,1763505,1763511-1763512,1763516,1763518,1763520,1763529,1763559,1763565,1763568,1763574,1763619,1763634-1763635,1763718,1763748,1763786,1763798-1763799,1763810,1763813,1763815,1763819,1763831,1764083,1764425,1764646,1764648-1764649,1764659,1764663,1764682,1764862,1764866-1764867,1764870,1764897,1765133,1765299,1765358,1765439,1765447,1765495,1765502,1765569-1765571,1765579,1765582,1765589-1765590,1765794,1765801,1765813,1765815,1766276,1766514,1766533,1766535,1766664,1766675,1766698,1766700,1766822,1766834,1766840,1767047,1767328,1767362,1767368,1767429,1767471,1767505,1767636,1767641-1767644,1767903,1767945-1767946,176
 8123,1768283,1768520,1768569,1768651,1768762,1768922,1769191,1769263,1769630,1769833,1769975,1770047,1770140,1770180,1770258,1770389,1770656,1770666,1770718,1770762,1770952,1770954,1770956,1770961,1771087,1771126,1771139,1771143,1771149,1771156,1771226,1771266,1771316,1771386,1771611,1771613,1771711,1771718,1771723-1771724,1771730,1771743,1771752,1771853,1771963,1772170,1772174,1772223,1772229,1772318-1772319,1772353,1772355,1772554,1772603-1772609,1772849,1772865,1772870,1772872,1772875-1772876,1772881,1772886,1772947,1773306,1773344,1773418,1773756,1773813-1773814,1774052,1774102,1774131,1774161,1774164,1774248,1774253,1774257,1774259,1774262,1774267,1774271,1774303,1774340,1774406,1774412,1774426,1774433,1774522-1774523,1774526,1774528-1774529,1774531,1774732-1774736,1774738-1774739,1774741-1774742,1774749,1774755,1774789,1774858,1774867,1775596,1775985-1775986,1776540,1776937,1776954,1777011,1777173,1777189,1777211,1777524,1777546,1777605,1777619,1777647,1777721-1777722,1777967,
 1778061,1778138-1778139,1778141-1778150,1778154,1778275-1778276,1778295,1778342,1778348,1778404,1778424,1778426,1778575,1778582,1778600,1778603,1779312,1779370,1779545,1779612,1779622,1779641,1779654,1779708,1779718,1779897,1779899,1779932,1780109,1780120,1780189,1780196,1780488,1780514-1780516,1780601,1780606,1780609-1780610,1780652,1780991,1780995-1780996,1781174,1781569,1781975,1781986,1782116,1782383-1782384,1782566,1782572,1782775,1782779,1782814,1782857,1782868,1782934,1782946-1782947,1782956,1783144-1783147,1783155,1783408,1784182,1784565,1784583,1784657,1784669,1784712,1784723,1784751,1784767,1784806,1784818,1784911,1784926,1784956,1784963,1785032,1785037,1785245,1785271,1785310,1785317,1785643,1785667,1785762,1785774,1785823,1785935,1786051,1786070,1786123-1786124,1786127,1786129,1786341,1786378,1786844,1787200,1787250,1787405,1787662,1787701,1787703,1787938,1787959,1787973,1788223-1788224,1788228,1788232,1788241-1788242,1788248,1788323,1788328,1788455,1788460,1788473,17885
 43-1788544,1788548,1788550,1788554,1788558,1788560,1788567,1788569,1788572,1788647,1788732,1788741,1788747,1788753,1788764,1788771,1788834,1788841,1788852,1788860,1788883,1788890,1789051,1789400,1789415,1789442-1789443,1789447,1789453,1789456,1789458,1789461-1789463,1789465-1789467,1789470,1789472,1789474,1789476,1789479-1789480,1789685,1789733,1789735,1789744-1789745,1789937,1789984,1790119,1790180,1790183,1790213,1790376,1790443,1790614,1790983,1790991,1791027-1791028,1791050,1791090,1791095-1791096,1791099,1791101-1791103,1791124,1791129,1791134,1791137,1791298,1791527,1791557,1791970,1792033,1792038,1792055,1792093,1792140,1792460,1792468,1792791,1792957,1793095,1793121,1793123,1793127,1793136,1793139,1793147-1793148,1793266,1793437,1793449,1793460,1793468,1793487,1793498,1793502,1793514,1793682-1793683,1793711-1793712,1793716,1793719,1793736,1793746,1793758,1793771,1793776,1793798,1793802,1793812,1793819,1793844,1793854,1793887,1793891,1793898,1793901-1793902,1793907,1793910,17
 93980,1794556,1794674,1794684,1794752,1794941-1794942,1795278,1795289,1795298,1795305,1795813,1795893,1796090,1796275,1796693-1796695,1796729,1796806,1796836,1796873,1796878,1797197,1797338,1797344,1797354-1797355,1797516,1797528,1797532,1797536,1797540,1797543,1797677-1797678,1797692,1797694,1797748,1797828,1798126,1798238,1798280,1798371,1798379,1798384,1798390,1798395,1798419,1798505,1798507,1798509,1798533,1798546,1798561,1798977,1799115,1799126,1799164,1799190,1799194,1799216,1799231,1799250,1799253,1799285,1799368,1799412,1799498,1799514-1799515,1799677,1799701-1799702,1799704,1799709,1799885,1799893,1799895,1799916,1800136-1800138,1800202,1800309,1800390,1800617,1800629,1800791,1800816,1800850,1800864,1800867,1800874,1800885,1800980-1800981,1800984,1800988,1800992,1801195,1801686,1801688,1801709,1801717,1801774,1801778,1802083,1802195,1802204-1802205,1802210,1802225-1802226,1802229,1802403,1802475,1802490,1802788,1802796,1802803,1802820,1802828,1802833,1802836,1803030,1803038
 ,1803055,1803135,1803165,1803174,1803193,1803205,1803224,1803278,1803281,1803295,1803297,1803446,1803451,1803456,1803459,1803616,1803636,1803828,1803901,1803972,1804040,1804094,1804306,1804461-1804463,1804501,1804506-1804507,1804754,1804813,1804888,1804890,1804903-1804908,1804915,1804917,1805523-1805530,1805550,1805612-1805613,1805637,1805645,1805652,1805726,1805752,1805782,1805826,1806307,1806356,1806445,1806736,1806794,1806798,1806801,1806807,1806873,1806966,1806973,1807004,1807093,1807135,1807205-1807206,1807237,1807242,1807251,1807282,1807455,1807686,1807698,1807713,1807715,1807729,1807742,1807747,1807751,1807755,1808116,1808156,1808266,1808433,1808438-1808439,1808466,1808481-1808482,1808695,1808701,1808766,1809011,1809025,1809141,1809143-1809144,1809146,1809158,1809212,1809214,1809239,1809248,1809263,1809265,1809317,1809434,1809669,1809671,1809674,1809684,1809711,1809828,1809830,1809908-1809909,1809922,1810106,1810110,1810280,1810300,1811031,1811119,1811122,1811132,1811137,1811
 139,1811174,1811176,1811198-1811201,1811203-1811206,1811220,1811235,1811246,1811327-1811329,1811350,1811560,1811704,1811837-1811839,1811861,1811932,1812087-1812088,1812092,1812094,1812103,1812107,1812113,1812129,1812134-1812136,1812184,1812315,1812401,1812489,1812513,1812617,1813919,1814192,1814195,1814567,1814825,1814973,1814980,1815066,1815069,1815208,1815215,1815318-1815319,1815325,1815385,1815429,1815441-1815442,1815451,1815459,1815465,1815505,1815615,1815778,1815786,1815790,1815793,1815800,1815802,1815806,1815826,1815829,1815834,1815840,1815903,1815944,1815954,1816076,1816078,1816083,1816087,1816120,1816128,1816140,1816147,1816157,1816338,1816431,1816443,1816538,1816541,1816545,1816549-1816550,1816563,1816570,1816647,1816695-1816704,1816716,1816780,1816887,1817089,1817092,1817096,1817104,1817126,1817136-1817137,1817196,1817223,1817298,1817305,1817495,1817517,1817520,1817965,1817997,1817999-1818001,1818004,1818127,1818179,1818184,1818438,1818711,1818919,1818976,1819054,1819057,1
 819061,1819063,1819068,1819070-1819071,1819074,1819077,1819148,1819903,1820003,1820005,1820138,1820153,1820194,1820196-1820197,1820202,1820206,1820222,1820265,1820272,1820276,1820279,1820281,1820302,1820634,1820701,1820705,1820932,1820981,1820994,1821157,1821167,1821197-1821203,1821225,1821234-1821235,1821251-1821252,1821293,1821328,1821381,1821490,1821708,1821932,1822001,1822016,1822109,1822111,1822116,1822150,1822232,1822524,1822644,1822775,1822945-1822946,1823006-1823007,1823102,1823111,1823150,1823161,1823262,1823306,1823310,1823337,1823481,1823483,1823492,1823495,1823540,1823620,1824154,1824201,1824228,1824254,1824263,1824297,1824301,1824311,1824323,1824357,1824766,1824774,1824892,1824901,1824959,1825054,1825516,1825519,1825713,1825738,1825872,1825909,1825943,1825987,1826048,1826111,1826115,1826209,1826361,1826375,1826688,1826731,1826794,1826812,1826817,1826825,1826867,1826869,1826958,1826975,1826977,1826979,1826985-1826986,1827150,1827203-1827204,1827223,1827297,1827299,182736
 3,1827368,1827396,1827408,1827428,1827479,1827491,1827498,1827860,1828016,1828223-1828239,1828253,1828262,1828545,1828551,1828565,1828946,1829082,1829084,1829086,1829276,1829355,1829364,1829366,1829830,1829879,1829915,1829924,1829934,1829990-1829991,1830013,1830051,1830068,1830087,1830325,1830336,1830341,1830367,1830373,1830378,1830549,1830669-1830670,1830764-1830765,1830772,1830802,1830861,1830864,1830989,1830999-1831001,1831251,1831256,1831262,1831333,1831338,1831341-1831342,1831389,1831410,1831439,1831483,1831486,1831556,1831568,1831573,1831691,1831718,1831726,1831763,1831828,1831985,1832124-1832125,1832127,1832129,1832160,1832163,1832193,1832262,1832518-1832519,1832525-1832526,1832545,1832554,1832572,1832592,1832596,1832602,1832619,1832665,1832692,1832696,1832704,1832707,1832744,1832843,1832856,1832882,1832925,1832965,1833001,1833016,1833062,1833071,1833737,1833757,1833768-1833770,1833794-1833800,1833825,1833831,1833906,1833915,1833918,1833982,1833989,1833994,1834001,1834003,183
 4011,1834020,1834058,1834080,1834195,1834197-1834198,1834354,1834356,1834411,1834542,1834548,1834550,1834559,1834672,1834689,1834703,1834860,1834877,1835085,1835193-1835194,1835229,1835246,1835261,1835263-1835264,1835269-1835271,1835413,1835416,1835421,1835427,1835429,1835431,1835435,1835438,1835458,1835465,1835543,1835622,1835639,1835831,1835844,1836102,1836738,1836949,1837044,1837133,1837156,1837176,1837300,1837510-1837511,1837520,1837523,1837530,1837551,1837554,1837581,1837613,1837637,1837726,1837731,1837734-1837737,1837746,1837786-1837788,1837809-1837810,1837818,1837865,1837871-1837872,1837878,1838028,1838100,1838104,1838106-1838107,1838155,1838163,1838188,1838243,1838275,1838277,1838279,1838281,1838286,1838400,1838433,1838473,1838492,1838494,1838502,1838925,1838942,1839057,1839237,1839239,1839575,1839604,1839737,1839741,1839752,1839765,1839922,1839955,1839960,1839977,1839983-1839984,1840055,1840062,1840099,1840264,1840279,1840535,1840634,1840641,1840653,1840655,1840681,1840706-
 1840707,1840709,1840712,1840737,1840747,1840759,1840763-1840764,1840812,1840817,1840922,1841069,1841347,1841445,1841746,1841757,1841893,1842203,1842691,1842702,1842725,1842816-1842817,1842878,1842950,1843048,1843142,1843474
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737903,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739492,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409
 ,1741501,1741677,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744149,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745083,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248,1745254,1745337,1745467,1745473,1745535,1745576,1745735,1745744,1746304,1746306-1746307,1746319,1746327,1746338,1746340-1746341,1746344,1746427,1746441,1746473,1746490,1746492,1746495-1746496,1746499-1746501,1746503-1746507,1746509,1746549,1746551,1746554,1746556,1746558,1746584,1746620,1746649,1746724,1746939,1746989,1747014,1747028,1747035,1747210,1747225,1747234,1747253,1747
 404,1747506,1747536,1747924,1747980,1747993,1748001,1748253,1748452,1748547,1748629,1748676,1748715,1749287,1749296,1749328,1749373,1749465,1749506,1749508,1749665-1749666,1749763,1749865-1749866,1749898,1749978,1749980,1750011,1750015,1750056,1750480,1750617,1750634,1750692,1750697,1750700,1750703,1750707,1750714,1750718,1750723,1750774,1750899,1750975,1750995,1751061,1751097,1751173,1751438,1751447,1751463,1751702,1752212,1752737,1752745,1753078,1753080,1753358,1753363,1754111,1754140-1754141,1754281,1754310,1754445,1754467,1754494,1754496,1754528,1754532-1754533,1754613,1754714,1754874,1754941,1754944,1754950-1754951,1755005,1755007,1755009,1755132,1755180-1755181,1755185,1755190,1755204-1755206,1755208,1755214,1755224,1755227,1755230,1755629,1755646-1755647,1755650,1755653,1755675,1755680,1755683,1755693,1755717,1755731-1755737,1755812,1755828,1755884,1755890,1755918-1755919,1755942,1755958,1755960,1755970,1755993,1756013,1756019,1756039,1756056,1756083-1756114,1756175,1756288-1
 756289,1756408-1756410,1756778,1756798,1756878,1756898,1756939,1757123-1757124,1757126,1757128,1757132-1757133,1757136,1757145,1757167-1757168,1757175,1757180,1757182,1757195,1757271,1757278,1757347,1757353-1757354,1757363,1757374,1757399,1757406,1757408,1757485,1757495,1757499,1757527,1757578,1757684,1757722,1757727,1757790,1757799,1757813,1757853,1757883,1757903,1757976,1757997,1758000,1758058,1758072-1758075,1758078-1758079,1758223,1758257,1758261,1758276,1758292,1758369,1758378-1758383,1758421,1758423,1758425-1758427,1758430,1758443,1758448,1758459,1758483,1758486-1758487,1758499,1758525,1758556,1758580,1758582,1758584,1758588,1758842,1759019,1759212,1759224,1759227,1759252,1759274,1759513-1759516,1759611,1759757,1759785-1759790,1760005,1760022,1760109-1760110,1760135,1760200-1760201,1760227,1760300,1760397,1760446,1760454,1760640,1760648,1761057,1761422,1761491,1761498,1761500-1761501,1761550,1761553,1761572,1761574,1761625-1761626,1761628,1761682,1761740,1761752,1762051-176205
 3,1762123,1762168,1762172,1762182,1762201-1762202,1762204,1762208,1762288,1762296,1762324,1762348,1762353,1762362,1762374,1762492,1762503,1762505,1762541,1762608,1762710,1762753,1762766,1762769,1762944,1762947,1762953,1763167,1763179,1763232,1763259,1763271-1763272,1763276-1763277,1763319-1763320,1763370,1763372,1763375,1763377,1763393,1763412,1763430,1763450,1763462,1763505,1763511-1763512,1763516,1763518,1763520,1763529,1763559,1763565,1763568,1763574,1763619,1763634-1763635,1763718,1763748,1763786,1763798-1763799,1763810,1763813,1763815,1763819,1763831,1764083,1764425,1764646,1764648-1764649,1764659,1764663,1764682,1764862,1764866-1764867,1764870,1764897,1765133,1765299,1765358,1765439,1765447,1765495,1765502,1765569-1765571,1765579,1765582,1765589-1765590,1765794,1765801,1765813,1765815,1766276,1766514,1766533,1766535,1766664,1766675,1766698,1766700,1766822,1766834,1766840,1767047,1767328,1767362,1767368,1767429,1767471,1767505,1767636,1767641-1767644,1767903,1767945-1767946,176
 8123,1768283,1768520,1768569,1768651,1768762,1768922,1769191,1769263,1769630,1769833,1769975,1770047,1770140,1770180,1770258,1770389,1770656,1770666,1770718,1770762,1770952,1770954,1770956,1770961,1771087,1771126,1771139,1771143,1771149,1771156,1771226,1771266,1771316,1771386,1771611,1771613,1771711,1771718,1771723-1771724,1771730,1771743,1771752,1771853,1771963,1772170,1772174,1772223,1772229,1772318-1772319,1772353,1772355,1772554,1772603-1772609,1772849,1772865,1772870,1772872,1772875-1772876,1772881,1772886,1772947,1773306,1773344,1773418,1773756,1773813-1773814,1774052,1774102,1774131,1774161,1774164,1774248,1774253,1774257,1774259,1774262,1774267,1774271,1774303,1774340,1774406,1774412,1774426,1774433,1774522-1774523,1774526,1774528-1774529,1774531,1774732-1774736,1774738-1774739,1774741-1774742,1774749,1774755,1774789,1774858,1774867,1775596,1775985-1775986,1776540,1776937,1776954,1777011,1777173,1777189,1777211,1777524,1777546,1777605,1777619,1777647,1777721-1777722,1777967,
 1778061,1778138-1778139,1778141-1778150,1778154,1778275-1778276,1778295,1778342,1778348,1778404,1778424,1778426,1778575,1778582,1778600,1778603,1779312,1779370,1779545,1779612,1779622,1779641,1779654,1779708,1779718,1779897,1779899,1779932,1780109,1780120,1780189,1780196,1780488,1780514-1780516,1780601,1780606,1780609-1780610,1780652,1780991,1780995-1780996,1781174,1781569,1781975,1781986,1782116,1782383-1782384,1782566,1782572,1782775,1782779,1782814,1782857,1782868,1782934,1782946-1782947,1782956,1783144-1783147,1783155,1783408,1784182,1784565,1784583,1784657,1784669,1784712,1784723,1784751,1784767,1784806,1784818,1784911,1784926,1784956,1784963,1785032,1785037,1785245,1785271,1785310,1785317,1785643,1785667,1785762,1785774,1785823,1785935,1786051,1786070,1786123-1786124,1786127,1786129,1786341,1786378,1786844,1787200,1787250,1787405,1787662,1787701,1787703,1787938,1787959,1787973,1788223-1788224,1788228,1788232,1788241-1788242,1788248,1788323,1788328,1788455,1788460,1788473,17885
 43-1788544,1788548,1788550,1788554,1788558,1788560,1788567,1788569,1788572,1788647,1788732,1788741,1788747,1788753,1788764,1788771,1788834,1788841,1788852,1788860,1788883,1788890,1789051,1789400,1789415,1789442-1789443,1789447,1789453,1789456,1789458,1789461-1789463,1789465-1789467,1789470,1789472,1789474,1789476,1789479-1789480,1789685,1789733,1789735,1789744-1789745,1789937,1789984,1790119,1790180,1790183,1790213,1790376,1790443,1790614,1790983,1790991,1791027-1791028,1791050,1791090,1791095-1791096,1791099,1791101-1791103,1791124,1791129,1791134,1791137,1791298,1791527,1791557,1791970,1792033,1792038,1792055,1792093,1792140,1792460,1792468,1792791,1792957,1793095,1793121,1793123,1793127,1793136,1793139,1793147-1793148,1793266,1793437,1793449,1793460,1793468,1793487,1793498,1793502,1793514,1793682-1793683,1793711-1793712,1793716,1793719,1793736,1793746,1793758,1793771,1793776,1793798,1793802,1793812,1793819,1793844,1793854,1793887,1793891,1793898,1793901-1793902,1793907,1793910,17
 93980,1794556,1794674,1794684,1794752,1794941-1794942,1795278,1795289,1795298,1795305,1795813,1795893,1796090,1796275,1796693-1796695,1796729,1796806,1796836,1796873,1796878,1797197,1797338,1797344,1797354-1797355,1797516,1797528,1797532,1797536,1797540,1797543,1797677-1797678,1797692,1797694,1797748,1797828,1798126,1798238,1798280,1798371,1798379,1798384,1798390,1798395,1798419,1798505,1798507,1798509,1798533,1798546,1798561,1798977,1799115,1799126,1799164,1799190,1799194,1799216,1799231,1799250,1799253,1799285,1799368,1799412,1799498,1799514-1799515,1799677,1799701-1799702,1799704,1799709,1799885,1799893,1799895,1799916,1800136-1800138,1800202,1800309,1800390,1800617,1800629,1800791,1800816,1800850,1800864,1800867,1800874,1800885,1800980-1800981,1800984,1800988,1800992,1801195,1801686,1801688,1801709,1801717,1801774,1801778,1802083,1802195,1802204-1802205,1802210,1802225-1802226,1802229,1802403,1802475,1802490,1802788,1802796,1802803,1802820,1802828,1802833,1802836,1803030,1803038
 ,1803055,1803135,1803165,1803174,1803193,1803205,1803224,1803278,1803281,1803295,1803297,1803446,1803451,1803456,1803459,1803616,1803636,1803828,1803901,1803972,1804040,1804094,1804306,1804461-1804463,1804501,1804506-1804507,1804754,1804813,1804888,1804890,1804903-1804908,1804915,1804917,1805523-1805530,1805550,1805612-1805613,1805637,1805645,1805652,1805726,1805752,1805782,1805826,1806307,1806356,1806445,1806736,1806794,1806798,1806801,1806807,1806873,1806966,1806973,1807004,1807093,1807135,1807205-1807206,1807237,1807242,1807251,1807282,1807455,1807686,1807698,1807713,1807715,1807729,1807742,1807747,1807751,1807755,1808116,1808156,1808266,1808433,1808438-1808439,1808466,1808481-1808482,1808695,1808701,1808766,1809011,1809025,1809141,1809143-1809144,1809146,1809158,1809212,1809214,1809239,1809248,1809263,1809265,1809317,1809434,1809669,1809671,1809674,1809684,1809711,1809828,1809830,1809908-1809909,1809922,1810106,1810110,1810280,1810300,1811031,1811119,1811122,1811132,1811137,1811
 139,1811174,1811176,1811198-1811201,1811203-1811206,1811220,1811235,1811246,1811327-1811329,1811350,1811560,1811704,1811837-1811839,1811861,1811932,1812087-1812088,1812092,1812094,1812103,1812107,1812113,1812129,1812134-1812136,1812184,1812315,1812401,1812489,1812513,1812617,1813919,1814192,1814195,1814567,1814825,1814973,1814980,1815066,1815069,1815208,1815215,1815318-1815319,1815325,1815385,1815429,1815441-1815442,1815451,1815459,1815465,1815505,1815615,1815778,1815786,1815790,1815793,1815800,1815802,1815806,1815826,1815829,1815834,1815840,1815903,1815944,1815954,1816076,1816078,1816083,1816087,1816120,1816128,1816140,1816147,1816157,1816338,1816431,1816443,1816538,1816541,1816545,1816549-1816550,1816563,1816570,1816647,1816695-1816704,1816716,1816780,1816887,1817089,1817092,1817096,1817104,1817126,1817136-1817137,1817196,1817223,1817298,1817305,1817495,1817517,1817520,1817965,1817997,1817999-1818001,1818004,1818127,1818179,1818184,1818438,1818711,1818919,1818976,1819054,1819057,1
 819061,1819063,1819068,1819070-1819071,1819074,1819077,1819148,1819903,1820003,1820005,1820138,1820153,1820194,1820196-1820197,1820202,1820206,1820222,1820265,1820272,1820276,1820279,1820281,1820302,1820634,1820701,1820705,1820932,1820981,1820994,1821157,1821167,1821197-1821203,1821225,1821234-1821235,1821251-1821252,1821293,1821328,1821381,1821490,1821708,1821932,1822001,1822016,1822109,1822111,1822116,1822150,1822232,1822524,1822644,1822775,1822945-1822946,1823006-1823007,1823102,1823111,1823150,1823161,1823262,1823306,1823310,1823337,1823481,1823483,1823492,1823495,1823540,1823620,1824154,1824201,1824228,1824254,1824263,1824297,1824301,1824311,1824323,1824357,1824766,1824774,1824892,1824901,1824959,1825054,1825516,1825519,1825713,1825738,1825872,1825909,1825943,1825987,1826048,1826111,1826115,1826209,1826361,1826375,1826688,1826731,1826794,1826812,1826817,1826825,1826867,1826869,1826958,1826975,1826977,1826979,1826985-1826986,1827150,1827203-1827204,1827223,1827297,1827299,182736
 3,1827368,1827396,1827408,1827428,1827479,1827491,1827498,1827860,1828016,1828223-1828239,1828253,1828262,1828545,1828551,1828565,1828946,1829082,1829084,1829086,1829276,1829355,1829364,1829366,1829830,1829879,1829915,1829924,1829934,1829990-1829991,1830013,1830051,1830068,1830087,1830325,1830336,1830341,1830367,1830373,1830378,1830549,1830669-1830670,1830764-1830765,1830772,1830802,1830861,1830864,1830989,1830999-1831001,1831251,1831256,1831262,1831333,1831338,1831341-1831342,1831389,1831410,1831439,1831483,1831486,1831556,1831568,1831573,1831691,1831718,1831726,1831763,1831828,1831985,1832124-1832125,1832127,1832129,1832160,1832163,1832193,1832262,1832518-1832519,1832525-1832526,1832545,1832554,1832572,1832592,1832596,1832602,1832619,1832665,1832692,1832696,1832704,1832707,1832744,1832843,1832856,1832882,1832925,1832965,1833001,1833016,1833062,1833071,1833737,1833757,1833768-1833770,1833794-1833800,1833825,1833831,1833906,1833915,1833918,1833982,1833989,1833994,1834001,1834003,183
 4011,1834020,1834058,1834080,1834195,1834197-1834198,1834354,1834356,1834411,1834542,1834548,1834550,1834559,1834672,1834689,1834703,1834860,1834877,1835085,1835193-1835194,1835229,1835246,1835261,1835263-1835264,1835269-1835271,1835413,1835416,1835421,1835427,1835429,1835431,1835435,1835438,1835458,1835465,1835543,1835622,1835639,1835831,1835844,1836102,1836738,1836949,1837044,1837133,1837156,1837176,1837300,1837510-1837511,1837520,1837523,1837530,1837551,1837554,1837581,1837613,1837637,1837726,1837731,1837734-1837737,1837746,1837786-1837788,1837809-1837810,1837818,1837865,1837871-1837872,1837878,1838028,1838100,1838104,1838106-1838107,1838155,1838163,1838188,1838243,1838275,1838277,1838279,1838281,1838286,1838400,1838433,1838473,1838492,1838494,1838502,1838925,1838942,1839057,1839237,1839239,1839575,1839604,1839737,1839741,1839752,1839765,1839922,1839955,1839960,1839977,1839983-1839984,1840055,1840062,1840099,1840264,1840279,1840535,1840634,1840641,1840653,1840655,1840681,1840706-
 1840707,1840709,1840712,1840737,1840747,1840759,1840763-1840764,1840812,1840817,1840922,1841069,1841347,1841445,1841746,1841757,1841893,1842203,1842656,1842658,1842691,1842702,1842706,1842725,1842816-1842817,1842878,1842950,1843048,1843142,1843314,1843404-1843405,1843428-1843429,1843474,1843536,1843542,1843601

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSL.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSL.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSL.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSL.java Fri Oct 12 08:40:57 2018
@@ -73,7 +73,9 @@ public final class SSL {
     public static final int SSL_PROTOCOL_TLSV1 = (1<<2);
     public static final int SSL_PROTOCOL_TLSV1_1 = (1<<3);
     public static final int SSL_PROTOCOL_TLSV1_2 = (1<<4);
-    public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 | SSL_PROTOCOL_TLSV1_2);
+    public static final int SSL_PROTOCOL_TLSV1_3 = (1<<5);
+    public static final int SSL_PROTOCOL_ALL   = (SSL_PROTOCOL_TLSV1 | SSL_PROTOCOL_TLSV1_1 |
+                                                  SSL_PROTOCOL_TLSV1_2 | SSL_PROTOCOL_TLSV1_3);
 
     /*
      * Define the SSL verify levels
@@ -555,6 +557,27 @@ public final class SSL {
     public static native int renegotiate(long ssl);
 
     /**
+     * SSL_renegotiate_pending
+     * @param ssl the SSL instance (SSL *)
+     * @return the operation status
+     */
+    public static native int renegotiatePending(long ssl);
+
+    /**
+     * SSL_verify_client_post_handshake
+     * @param ssl the SSL instance (SSL *)
+     * @return the operation status
+     */
+    public static native int verifyClientPostHandshake(long ssl);
+
+    /**
+     * Is post handshake authentication in progress on this connection?
+     * @param ssl the SSL instance (SSL *)
+     * @return the operation status
+     */
+    public static native int getPostHandshakeAuthInProgress(long ssl);
+
+    /**
      * SSL_in_init.
      * @param ssl the SSL instance (SSL *)
      * @return the status

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/jni/SSLContext.java Fri Oct 12 08:40:57 2018
@@ -41,6 +41,7 @@ public final class SSLContext {
      * {@link SSL#SSL_PROTOCOL_TLSV1}
      * {@link SSL#SSL_PROTOCOL_TLSV1_1}
      * {@link SSL#SSL_PROTOCOL_TLSV1_2}
+     * {@link SSL#SSL_PROTOCOL_TLSV1_3}
      * {@link SSL#SSL_PROTOCOL_ALL} ( == all TLS versions, no SSL)
      * </PRE>
      * @param mode SSL mode to use

Copied: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/TLS.java (from r1842656, tomcat/trunk/java/org/apache/tomcat/util/compat/TLS.java)
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/TLS.java?p2=tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/TLS.java&p1=tomcat/trunk/java/org/apache/tomcat/util/compat/TLS.java&r1=1842656&r2=1843628&rev=1843628&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/compat/TLS.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/TLS.java Fri Oct 12 08:40:57 2018
@@ -32,7 +32,7 @@ public class TLS {
     static {
         boolean ok = false;
         try {
-            SSLContext sc = SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
+            SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3);
             ok = true;
         } catch (NoSuchAlgorithmException ex) {
         }

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Oct 12 08:40:57 2018
@@ -439,6 +439,8 @@ public class AprEndpoint extends Abstrac
                     value |= SSL.SSL_PROTOCOL_TLSV1_1;
                 } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
                     value |= SSL.SSL_PROTOCOL_TLSV1_2;
+                } else if (Constants.SSL_PROTO_TLSv1_3.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_TLSV1_3;
                 } else {
                     // Should not happen since filtering to build
                     // enabled protocols removes invalid values.

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/LocalStrings.properties Fri Oct 12 08:40:57 2018
@@ -128,6 +128,7 @@ channel.nio.ssl.foundHttp=Found an plain
 jsse.invalid_truststore_password=The provided trust store password could not be used to unlock and/or validate the trust store. Retrying to access the trust store with a null password which will skip validation.
 jsse.keystore_load_failed=Failed to load keystore type [{0}] with path [{1}] due to [{2}]
 jsse.ssl3=SSLv3 has been explicitly enabled. This protocol is known to be insecure.
+jsse.tls13.auth=The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication
 
 sniExtractor.clientHelloInvalid=The ClientHello message was not correctly formatted
 sniExtractor.clientHelloTooBig=The ClientHello was not presented in a single TLS record so no SNI information could be extracted

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Fri Oct 12 08:40:57 2018
@@ -64,6 +64,7 @@ public class SSLHostConfig implements Se
         SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1);
         SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_1);
         SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_2);
+        SSL_PROTO_ALL_SET.add(Constants.SSL_PROTO_TLSv1_3);
     }
 
     private Type configType = null;
@@ -84,6 +85,10 @@ public class SSLHostConfig implements Se
     private String[] enabledCiphers;
     private String[] enabledProtocols;
     private ObjectName oname;
+    // Need to know if TLS 1.3 has been explicitly requested as a warning needs
+    // to generated if it is explicitly requested for a JVM that does not
+    // support it. Uses a set so it is extensible for TLS 1.4 etc.
+    private Set<String> explicitlyRequestedProtocols = new HashSet<>();
     // Nested
     private SSLHostConfigCertificate defaultCertificate = null;
     private Set<SSLHostConfigCertificate> certificates = new HashSet<>(4);
@@ -450,6 +455,7 @@ public class SSLHostConfig implements Se
 
     public void setProtocols(String input) {
         protocols.clear();
+        explicitlyRequestedProtocols.clear();
 
         // List of protocol names, separated by ",", "+" or "-".
         // Semantics is adding ("+") or removing ("-") from left
@@ -472,6 +478,7 @@ public class SSLHostConfig implements Se
                         protocols.addAll(SSL_PROTO_ALL_SET);
                     } else {
                         protocols.add(trimmed);
+                        explicitlyRequestedProtocols.add(trimmed);
                     }
                 } else if (trimmed.charAt(0) == '-') {
                     trimmed = trimmed.substring(1).trim();
@@ -479,6 +486,7 @@ public class SSLHostConfig implements Se
                         protocols.removeAll(SSL_PROTO_ALL_SET);
                     } else {
                         protocols.remove(trimmed);
+                        explicitlyRequestedProtocols.remove(trimmed);
                     }
                 } else {
                     if (trimmed.charAt(0) == ',') {
@@ -492,6 +500,7 @@ public class SSLHostConfig implements Se
                         protocols.addAll(SSL_PROTO_ALL_SET);
                     } else {
                         protocols.add(trimmed);
+                        explicitlyRequestedProtocols.add(trimmed);
                     }
                 }
             }
@@ -504,6 +513,11 @@ public class SSLHostConfig implements Se
     }
 
 
+    boolean isExplicitlyRequestedProtocol(String protocol) {
+        return explicitlyRequestedProtocols.contains(protocol);
+    }
+
+
     // ---------------------------------- JSSE specific configuration properties
 
     // TODO: These certificate setters can be removed once it is no longer

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLUtilBase.java Fri Oct 12 08:40:57 2018
@@ -30,6 +30,7 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.file.ConfigFileLoader;
+import org.apache.tomcat.util.net.SSLHostConfig.CertificateVerification;
 import org.apache.tomcat.util.res.StringManager;
 
 /**
@@ -47,19 +48,37 @@ public abstract class SSLUtilBase implem
 
 
     protected SSLUtilBase(SSLHostConfigCertificate certificate) {
+        this(certificate, true);
+    }
+
+
+    protected SSLUtilBase(SSLHostConfigCertificate certificate, boolean warnTls13) {
         this.certificate = certificate;
         SSLHostConfig sslHostConfig = certificate.getSSLHostConfig();
 
         // Calculate the enabled protocols
         Set<String> configuredProtocols = sslHostConfig.getProtocols();
+        if (!isTls13Available() &&
+                !sslHostConfig.isExplicitlyRequestedProtocol(Constants.SSL_PROTO_TLSv1_3)) {
+            // TLS 1.3 not implemented and not explicitly requested so ignore it
+            // if present
+            configuredProtocols.remove(Constants.SSL_PROTO_TLSv1_3);
+        }
         Set<String> implementedProtocols = getImplementedProtocols();
         List<String> enabledProtocols =
-                getEnabled("protocols", getLog(), true, configuredProtocols, implementedProtocols);
+                getEnabled("protocols", getLog(), warnTls13, configuredProtocols, implementedProtocols);
         if (enabledProtocols.contains("SSLv3")) {
             log.warn(sm.getString("jsse.ssl3"));
         }
         this.enabledProtocols = enabledProtocols.toArray(new String[enabledProtocols.size()]);
 
+        if (enabledProtocols.contains(Constants.SSL_PROTO_TLSv1_3) &&
+                (sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL ||
+                        sslHostConfig.getCertificateVerification() == CertificateVerification.OPTIONAL) &&
+                !isTls13RenegAuthAvailable() && warnTls13) {
+            log.warn(sm.getString("jsse.tls13.auth"));
+        }
+
         // Calculate the enabled ciphers
         List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
         Set<String> implementedCiphers = getImplementedCiphers();
@@ -196,4 +215,6 @@ public abstract class SSLUtilBase implem
     protected abstract Set<String> getImplementedProtocols();
     protected abstract Set<String> getImplementedCiphers();
     protected abstract Log getLog();
+    protected abstract boolean isTls13Available();
+    protected abstract boolean isTls13RenegAuthAvailable();
 }

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java Fri Oct 12 08:40:57 2018
@@ -58,6 +58,7 @@ import javax.net.ssl.X509KeyManager;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.compat.JreVendor;
+import org.apache.tomcat.util.compat.TLS;
 import org.apache.tomcat.util.file.ConfigFileLoader;
 import org.apache.tomcat.util.net.Constants;
 import org.apache.tomcat.util.net.SSLContext;
@@ -141,7 +142,12 @@ public class JSSEUtil extends SSLUtilBas
 
 
     public JSSEUtil (SSLHostConfigCertificate certificate) {
-        super(certificate);
+        this(certificate, true);
+    }
+
+
+    public JSSEUtil (SSLHostConfigCertificate certificate, boolean warnOnSkip) {
+        super(certificate, warnOnSkip);
         this.sslHostConfig = certificate.getSSLHostConfig();
     }
 
@@ -164,6 +170,19 @@ public class JSSEUtil extends SSLUtilBas
     }
 
 
+    @Override
+    protected boolean isTls13Available() {
+        return TLS.isTlsv13Available();
+    }
+
+
+    @Override
+    protected boolean isTls13RenegAuthAvailable() {
+        // TLS 1.3 does not support authentication after the initial handshake
+        return false;
+    }
+
+
     @Override
     public SSLContext createSSLContext(List<String> negotiableProtocols) throws NoSuchAlgorithmException {
         return new JSSESSLContext(sslHostConfig.getSslProtocol());

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLContext.java Fri Oct 12 08:40:57 2018
@@ -155,6 +155,8 @@ public class OpenSSLContext implements o
                     value |= SSL.SSL_PROTOCOL_TLSV1_1;
                 } else if (Constants.SSL_PROTO_TLSv1_2.equalsIgnoreCase(protocol)) {
                     value |= SSL.SSL_PROTOCOL_TLSV1_2;
+                } else if (Constants.SSL_PROTO_TLSv1_3.equalsIgnoreCase(protocol)) {
+                    value |= SSL.SSL_PROTOCOL_TLSV1_3;
                 } else if (Constants.SSL_PROTO_ALL.equalsIgnoreCase(protocol)) {
                     value |= SSL.SSL_PROTOCOL_ALL;
                 } else {

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java Fri Oct 12 08:40:57 2018
@@ -21,7 +21,6 @@ import java.nio.ReadOnlyBufferException;
 import java.security.Principal;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -65,6 +64,8 @@ public final class OpenSSLEngine extends
 
     public static final Set<String> AVAILABLE_CIPHER_SUITES;
 
+    public static final Set<String> IMPLEMENTED_PROTOCOLS_SET;
+
     static {
         final Set<String> availableCipherSuites = new LinkedHashSet<>(128);
         final long aprPool = Pool.create(0);
@@ -94,6 +95,19 @@ public final class OpenSSLEngine extends
             Pool.destroy(aprPool);
         }
         AVAILABLE_CIPHER_SUITES = Collections.unmodifiableSet(availableCipherSuites);
+
+        HashSet<String> protocols = new HashSet<>();
+        protocols.add(Constants.SSL_PROTO_SSLv2Hello);
+        protocols.add(Constants.SSL_PROTO_SSLv2);
+        protocols.add(Constants.SSL_PROTO_SSLv3);
+        protocols.add(Constants.SSL_PROTO_TLSv1);
+        protocols.add(Constants.SSL_PROTO_TLSv1_1);
+        protocols.add(Constants.SSL_PROTO_TLSv1_2);
+        if (SSL.version() >= 0x1010100f) {
+            protocols.add(Constants.SSL_PROTO_TLSv1_3);
+        }
+
+        IMPLEMENTED_PROTOCOLS_SET = Collections.unmodifiableSet(protocols);
     }
 
     private static final int MAX_PLAINTEXT_LENGTH = 16 * 1024; // 2^14
@@ -103,17 +117,6 @@ public final class OpenSSLEngine extends
     // Protocols
     static final int VERIFY_DEPTH = 10;
 
-    private static final String[] IMPLEMENTED_PROTOCOLS = {
-        Constants.SSL_PROTO_SSLv2Hello,
-        Constants.SSL_PROTO_SSLv2,
-        Constants.SSL_PROTO_SSLv3,
-        Constants.SSL_PROTO_TLSv1,
-        Constants.SSL_PROTO_TLSv1_1,
-        Constants.SSL_PROTO_TLSv1_2
-    };
-    public static final Set<String> IMPLEMENTED_PROTOCOLS_SET =
-            Collections.unmodifiableSet(new HashSet<>(Arrays.asList(IMPLEMENTED_PROTOCOLS)));
-
     // Header (5) + Data (2^14) + Compression (1024) + Encryption (1024) + MAC (20) + Padding (256)
     static final int MAX_ENCRYPTED_PACKET_LENGTH = MAX_CIPHERTEXT_LENGTH + 5 + 20 + 256;
 
@@ -760,7 +763,7 @@ public final class OpenSSLEngine extends
 
     @Override
     public String[] getSupportedProtocols() {
-        return IMPLEMENTED_PROTOCOLS.clone();
+        return IMPLEMENTED_PROTOCOLS_SET.toArray(new String[IMPLEMENTED_PROTOCOLS_SET.size()]);
     }
 
     @Override
@@ -905,7 +908,12 @@ public final class OpenSSLEngine extends
 
     private synchronized void renegotiate() throws SSLException {
         clearLastError();
-        int code = SSL.renegotiate(ssl);
+        int code;
+        if (SSL.getVersion(ssl).equals(Constants.SSL_PROTO_TLSv1_3)) {
+            code = SSL.verifyClientPostHandshake(ssl);
+        } else {
+            code = SSL.renegotiate(ssl);
+        }
         if (code <= 0) {
             checkLastError();
         }
@@ -976,10 +984,42 @@ public final class OpenSSLEngine extends
                 return SSLEngineResult.HandshakeStatus.NEED_WRAP;
             }
 
+            /*
+             * Tomcat Native stores a count of the completed handshakes in the
+             * SSL instance and increments it every time a handshake is
+             * completed. Comparing the handshake count when the handshake
+             * started to the current handshake count enables this code to
+             * detect when the handshake has completed.
+             *
+             * Obtaining client certificates after the connection has been
+             * established requires additional checks. We need to trigger
+             * additional reads until the certificates have been read but we
+             * don't know how many reads we will need as it depends on both
+             * client and network behaviour.
+             *
+             * The additional reads are triggered by returning NEED_UNWRAP
+             * rather than FINISHED. This allows the standard I/O code to be
+             * used.
+             *
+             * For TLSv1.2 and below, the handshake completes before the
+             * renegotiation. We therefore use SSL.renegotiatePending() to
+             * check on the current status of the renegotiation and return
+             * NEED_UNWRAP until it completes which means the client
+             * certificates will have been read from the client.
+             *
+             * For TLSv1.3, Tomcat Native sets a flag when post handshake
+             * authentication is started and updates it once the client
+             * certificate has been received. We therefore use
+             * SSL.getPostHandshakeAuthInProgress() to check the current status
+             * and return NEED_UNWRAP until that methods indicates that PHA is
+             * no longer in progress.
+             */
+
             // No pending data to be sent to the peer
             // Check to see if we have finished handshaking
             int handshakeCount = SSL.getHandshakeCount(ssl);
-            if (handshakeCount != currentHandshake) {
+            if (handshakeCount != currentHandshake && SSL.renegotiatePending(ssl) == 0 &&
+                    (SSL.getPostHandshakeAuthInProgress(ssl) == 0)) {
                 if (alpn) {
                     selectedProtocol = SSL.getAlpnSelected(ssl);
                     if (selectedProtocol == null) {
@@ -991,7 +1031,8 @@ public final class OpenSSLEngine extends
                 return SSLEngineResult.HandshakeStatus.FINISHED;
             }
 
-            // No pending data and still handshaking
+            // No pending data
+            // Still handshaking / renegotiation / post-handshake auth pending
             // Must be waiting on the peer to send more data
             return SSLEngineResult.HandshakeStatus.NEED_UNWRAP;
         }

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java Fri Oct 12 08:40:57 2018
@@ -25,6 +25,7 @@ import javax.net.ssl.TrustManager;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.jni.SSL;
 import org.apache.tomcat.util.net.SSLContext;
 import org.apache.tomcat.util.net.SSLHostConfig;
 import org.apache.tomcat.util.net.SSLHostConfigCertificate;
@@ -42,7 +43,8 @@ public class OpenSSLUtil extends SSLUtil
 
         if (certificate.getCertificateFile() == null) {
             // Using JSSE configuration for keystore and truststore
-            jsseUtil = new JSSEUtil(certificate);
+            // Missing protocols not a concern so don't warn on skip
+            jsseUtil = new JSSEUtil(certificate, false);
         } else {
             // Use OpenSSL configuration for certificates
             jsseUtil = null;
@@ -68,6 +70,19 @@ public class OpenSSLUtil extends SSLUtil
     }
 
 
+    @Override
+    protected boolean isTls13Available() {
+        return SSL.version() >= 0x1010100f;
+    }
+
+
+    @Override
+    protected boolean isTls13RenegAuthAvailable() {
+        // OpenSSL does support authentication after the initial handshake
+        return true;
+    }
+
+
     @Override
     public SSLContext createSSLContext(List<String> negotiableProtocols) throws Exception {
         return new OpenSSLContext(certificate, negotiableProtocols);

Copied: tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java (from r1843405, tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java)
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java?p2=tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java&p1=tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java&r1=1843405&r2=1843628&rev=1843628&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java (original)
+++ tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TestClientCertTls13.java Fri Oct 12 08:40:57 2018
@@ -33,7 +33,8 @@ import org.apache.tomcat.util.compat.TLS
  * repository since not all of them are AL2 licensed.
  *
  * The JSSE implementation of TLSv1.3 only supports authentication during the
- * initial handshake.
+ * initial handshake. This test requires TLSv1.3 on client and server so it is
+ * skipped unless running on a Java version that supports TLSv1.3.
  */
 public class TestClientCertTls13 extends TomcatBaseTest {
 
@@ -47,6 +48,7 @@ public class TestClientCertTls13 extends
 
     @Test
     public void testClientCertPost() throws Exception {
+        Assume.assumeTrue(TLS.isTlsv13Available());
         getTomcatInstance().start();
 
         int size = 32 * 1024;

Modified: tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java (original)
+++ tomcat/tc8.5.x/trunk/test/org/apache/tomcat/util/net/TesterSupport.java Fri Oct 12 08:40:57 2018
@@ -229,6 +229,14 @@ public final class TesterSupport {
     protected static void configureClientCertContext(Tomcat tomcat) {
         TesterSupport.initSsl(tomcat);
 
+        /* When running on Java 11, TLSv1.3 is enabled by default. The JSSE
+         * implementation of TLSv1.3 does not support
+         * certificateVerification="optional", a setting on which these tests
+         * depend. Therefore, force these tests to use TLSv1.2 so that they pass
+         * when running on TLSv1.3.
+         */
+        tomcat.getConnector().setProperty("sslEnabledProtocols", "TLSv1.2");
+
         // Need a web application with a protected and unprotected URL
         // No file system docBase required
         Context ctx = tomcat.addContext("", null);

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Fri Oct 12 08:40:57 2018
@@ -85,6 +85,11 @@
   </subsection>
   <subsection name="Coyote">
     <changelog>
+      <add>
+        Add TLSv1.3 to the default protocols and to the <code>all</code>
+        alias for JSSE based TLS connectors when running on a JVM that
+        supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
+      </add>
       <fix>
         <bug>62685</bug>: Correct an error in host name validation parsing that
         did not allow a fully qualified domain name to terminate with a period.
@@ -95,11 +100,21 @@
         Such requests are unusual but not invalid. Patch provided by Michael
         Orr. (markt)
       </fix>
+      <add>
+        <bug>62748</bug>: Add TLS 1.3 support for the APR/Native connector and
+        the NIO/NIO2 connector when using the OpenSSL backed JSSE
+        implementation. (schultz/markt)
+      </add>
       <fix>
         <bug>62791</bug>: Remove an unnecessary check in the NIO TLS
         implementation that prevented from secure WebSocket connections from
         being established. (markt)
       </fix>
+      <fix>
+        Fix server initiated TLS renegotiation to obtain a client certificate
+        when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml?rev=1843628&r1=1843627&r2=1843628&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Fri Oct 12 08:40:57 2018
@@ -1288,13 +1288,15 @@
       This should be a list of any combination of the following:
       </p>
       <ul><li>SSLv2Hello</li><li>SSLv3</li><li>TLSv1</li><li>TLSv1.1</li>
-      <li>TLSv1.2</li><li>all</li></ul>
+      <li>TLSv1.2</li><li>TLSv1.3</li><li>all</li></ul>
       <p>Each token in the list can be prefixed with a plus sign ("+")
       or a minus sign ("-"). A plus sign adds the protocol, a minus sign
       removes it form the current list. The list is built starting from
       an empty list.</p>
       <p>The token <code>all</code> is an alias for
-      <code>SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2</code>.</p>
+      <code>SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3</code>.</p>
+      <p>Note that <code>TLSv1.3</code> is only supported for JSSE when using a
+      JVM that implements <code>TLSv1.3</code>.</p>
       <p>Note that <code>SSLv2Hello</code> will be ignored for OpenSSL based
       secure connectors. If more than one protocol is specified for an OpenSSL
       based secure connector it will always support <code>SSLv2Hello</code>. If a



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org