You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/30 16:52:42 UTC
svn commit: r1737117 - in /tomcat/trunk: conf/server.xml
java/org/apache/coyote/http2/Http2UpgradeHandler.java
java/org/apache/tomcat/util/net/SSLHostConfig.java
webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Wed Mar 30 14:52:41 2016
New Revision: 1737117
URL: http://svn.apache.org/viewvc?rev=1737117&view=rev
Log:
Chnage honorCipherOrder default to false.
Modified:
tomcat/trunk/conf/server.xml
tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/conf/server.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Wed Mar 30 14:52:41 2016
@@ -98,7 +98,6 @@
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
- <SSLHostConfig honorCipherOrder="false" >
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java Wed Mar 30 14:52:41 2016
@@ -66,8 +66,6 @@ import org.apache.tomcat.util.res.String
* <br>
* Note:
* <ul>
- * <li>Tomcat needs to be configured with honorCipherOrder="false" otherwise
- * Tomcat will prefer a cipher suite that is blacklisted by HTTP/2.</li>
* <li>You will need to nest an <UpgradeProtocol
* className="org.apache.coyote.http2.Http2Protocol" /> element inside
* a TLS enabled Connector element in server.xml to enable HTTP/2 support.
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Wed Mar 30 14:52:41 2016
@@ -83,7 +83,7 @@ public class SSLHostConfig {
private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
private LinkedHashSet<Cipher> cipherList = null;
private List<String> jsseCipherNames = null;
- private boolean honorCipherOrder = true;
+ private boolean honorCipherOrder = false;
private Set<String> protocols = new HashSet<>();
// JSSE
private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 14:52:41 2016
@@ -93,6 +93,12 @@
<fix>
Align cipher configuration parsing with current OpenSSL master. (markt)
</fix>
+ <update>
+ Change the default for <code>honorCipherOrder</code> to
+ <code>false</code>. With the current default TLS configuration, it is no
+ longer necessary for this to be <code>true</code> for a reasonably
+ secure configuration. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="WebSocket">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 30 14:52:41 2016
@@ -1111,7 +1111,7 @@
<attribute name="honorCipherOrder" required="false">
<p>Set to <code>true</code> to enforce the server's cipher order
(from the <code>ciphers</code> setting) instead of allowing
- the client to choose the cipher. The default is <code>true</code>.</p>
+ the client to choose the cipher. The default is <code>false</code>.</p>
</attribute>
<attribute name="hostName" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org