Endi S. Dewata · Alexander Bokovoy · Alexander Bokovoy · Fraser Tweedale · Fraser Tweedale · Endi S. Dewata
--- a/.classpath
+++ b/.classpath
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
 	<classpathentry kind="src" path="src"/>
-	<classpathentry kind="src" path="tomcat-8.0/src"/>
+	<classpathentry kind="src" path="tomcat-8.5/src"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-lang.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-logging.jar"/>

--- a/.travis.yml
+++ b/.travis.yml
@@ -19,7 +19,7 @@ install:
      -v $(pwd):/root/tomcatjss
      registry.fedoraproject.org/fedora:$FEDORA
  - docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
-  - docker exec container dnf copr -y enable @pki/10.6
+  - docker exec container dnf copr -y enable ${TOMCATJSS_7_3_REPO:-@pki/10.6}
  - docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec.in
  - docker exec container dnf remove -y tomcat-native
  - docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm

--- a/debian/changelog
+++ b/debian/changelog
+tomcatjss (7.3.4-1) unstable; urgency=medium
+
+  * New upstream release.
+  * control: Bump dep on libjss-java.
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Wed, 15 Aug 2018 17:04:25 +0300
+
 tomcatjss (7.3.3-1) unstable; urgency=medium

  * New upstream release.

--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
 javahelper,
 libcommons-lang-java,
 libcommons-logging-java,
- libjss-java (>= 4.5.0~a4),
+ libjss-java (>= 4.5.0),
 libslf4j-java,
 libtomcat8-java,
 Standards-Version: 4.1.4
@@ -22,7 +22,7 @@ Package: libtomcatjss-java
 Architecture: all
 Depends: libtomcat8-java, ${java:Depends}, ${misc:Depends},
 libcommons-lang-java,
- libjss-java (>= 4.5.0~a4),
+ libjss-java (>= 4.5.0),
 libslf4j-java,
 Conflicts: libtcnative-1
 Breaks: pki-server (<< 10.3.5-2)

--- a/src/org/apache/tomcat/util/net/jss/TomcatJSS.java
+++ b/src/org/apache/tomcat/util/net/jss/TomcatJSS.java
@@ -37,11 +37,12 @@ import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.ssl.SSLAlertEvent;
 import org.mozilla.jss.ssl.SSLCipher;
 import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
+import org.mozilla.jss.ssl.SSLProtocolVariant;
 import org.mozilla.jss.ssl.SSLServerSocket;
 import org.mozilla.jss.ssl.SSLSocket;
-import org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant;
-import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange;
 import org.mozilla.jss.ssl.SSLSocketListener;
+import org.mozilla.jss.ssl.SSLVersion;
+import org.mozilla.jss.ssl.SSLVersionRange;
 import org.mozilla.jss.util.IncorrectPasswordException;
 import org.mozilla.jss.util.Password;
 import org.slf4j.Logger;
@@ -562,8 +563,9 @@ public class TomcatJSS implements SSLSocketListener {
     * or "datagram".
     *
     * @param sslVersionRange_s takes on the form of "min:max" where min/max
-     * values can be "ssl3, tls1_0, tls1_1, or tls1_2". ssl2 is not supported for
-     * tomcatjss via this interface. The format is "sslVersionRange=min:max".
+     * values can be "ssl3, tls1_0, tls1_1, tls1_2, tls1_3". ssl2 is not
+     * supported for tomcatjss via this interface. The format is
+     * "sslVersionRange=min:max".
     */
    public void setSSLVersionRangeDefault(
            String type,
@@ -583,42 +585,18 @@ public class TomcatJSS implements SSLSocketListener {
        logger.debug("* min: " + min_s);
        logger.debug("* max: " + max_s);

-        int min = getSSLVersionRangeEnum(min_s);
-        int max = getSSLVersionRangeEnum(max_s);
+        SSLVersion minVersion = SSLVersion.findByAlias(min_s);
+        SSLVersion maxVersion = SSLVersion.findByAlias(max_s);

-        if (min == -1 || max == -1) {
-            throw new SocketException("SSL version range format error: " + sslVersionRange_s);
-        }
+        SSLVersionRange range = new SSLVersionRange(minVersion, maxVersion);
+        range = SSLSocket.boundSSLVersionRange(SSLProtocolVariant.STREAM, range);

-        SSLVersionRange range = new SSLVersionRange(min, max);
+        logger.debug("Actual SSL version range for " + type + " after system policy correction:");
+        logger.debug("* min: " + range.getMinVersion());
+        logger.debug("* max: " + range.getMaxVersion());
        SSLSocket.setSSLVersionRangeDefault(protoVariant, range);
    }

-    int getSSLVersionRangeEnum(String range) {
-
-        if (range == null) {
-            return -1;
-        }
-
-        if (range.equals("ssl3")) {
-            return SSLVersionRange.ssl3;
-        }
-
-        if (range.equals("tls1_0")) {
-            return SSLVersionRange.tls1_0;
-        }
-
-        if (range.equals("tls1_1")) {
-            return SSLVersionRange.tls1_1;
-        }
-
-        if (range.equals("tls1_2")) {
-            return SSLVersionRange.tls1_2;
-        }
-
-        return -1;
-    }
-
    public void setSSLCiphers(String attr, String ciphers) throws SocketException, IOException {

        if (StringUtils.isEmpty(ciphers)) {

--- a/tomcatjss.spec.in
+++ b/tomcatjss.spec.in
@@ -7,7 +7,7 @@ URL:              http://www.dogtagpki.org/wiki/TomcatJSS
 License:          LGPLv2+
 BuildArch:        noarch

-Version:          7.3.3
+Version:          7.3.4
 Release:          1%{?_timestamp}%{?_commit_id}%{?dist}
 # global           _phase -a1

@@ -28,20 +28,6 @@ Source:           https://github.com/dogtagpki/tomcatjss/archive/v%{version}%{?_
 #     > tomcatjss-VERSION-RELEASE.patch
 # Patch: tomcatjss-VERSION-RELEASE.patch

-################################################################################
-# Tomcat
-################################################################################
-
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%global app_server tomcat-7.0
-%else
-%if 0%{?fedora} && 0%{?fedora} <= 27
-%global app_server tomcat-8.0
-%else
-%global app_server tomcat-8.5
-%endif
-%endif
-
 ################################################################################
 # Build Dependencies
 ################################################################################
@@ -71,7 +57,7 @@ BuildRequires:    slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 BuildRequires:    jss >= 4.4.0-7
 %else
-BuildRequires:    jss >= 4.5.0-0.4
+BuildRequires:    jss >= 4.5.0-0.6
 %endif

 # Tomcat
@@ -114,7 +100,7 @@ Requires:         slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 Requires:         jss >= 4.4.0-7
 %else
-Requires:         jss >= 4.5.0-0.4
+Requires:         jss >= 4.5.0-0.6
 %endif

 # Tomcat
@@ -123,7 +109,6 @@ Requires:         tomcat >= 7.0.69
 %else
 %if 0%{?fedora} && 0%{?fedora} <= 27
 Requires:         tomcat >= 8.0.49
-Conflicts:        tomcat >= 1:8.5
 %else
 %if 0%{?fedora} && 0%{?fedora} <= 28
 Requires:         tomcat >= 1:8.5.23
@@ -140,7 +125,7 @@ Requires:         tomcat >= 1:9.0.7
 Conflicts:        tomcat-native

 # PKI
-Conflicts:        pki-base < 10.6.3
+Conflicts:        pki-base < 10.6.5


 %if 0%{?rhel}
@@ -168,9 +153,18 @@ NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
 %install
 ################################################################################

+# get Tomcat <major>.<minor> version number
+tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
+
+if [ $tomcat_version == "9.0" ]; then
+    app_server=tomcat-8.5
+else
+    app_server=tomcat-$tomcat_version
+fi
+
 ant -f build.xml \
    -Dversion=%{version} \
-    -Dsrc.dir=%{app_server} \
+    -Dsrc.dir=$app_server \
    -Djnidir=%{_jnidir} \
    -Dinstall.doc.dir=%{buildroot}%{_docdir}/%{name} \
    -Dinstall.jar.dir=%{buildroot}%{_javadir} \