You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 17:52:42 UTC
svn commit: r1737253 - in /tomcat/tc7.0.x/trunk:
java/org/apache/tomcat/util/net/AprEndpoint.java webapps/docs/changelog.xml
webapps/docs/config/http.xml
Author: markt
Date: Thu Mar 31 15:52:41 2016
New Revision: 1737253
URL: http://svn.apache.org/viewvc?rev=1737253&view=rev
Log:
Better default ciphers for APR/OpenSSL
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1737253&r1=1737252&r2=1737253&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Mar 31 15:52:41 2016
@@ -243,7 +243,7 @@ public class AprEndpoint extends Abstrac
/**
* SSL cipher suite.
*/
- protected String SSLCipherSuite = "ALL";
+ protected String SSLCipherSuite = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
public String getSSLCipherSuite() { return SSLCipherSuite; }
public void setSSLCipherSuite(String SSLCipherSuite) { this.SSLCipherSuite = SSLCipherSuite; }
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1737253&r1=1737252&r2=1737253&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 15:52:41 2016
@@ -164,8 +164,8 @@
(markt)
</fix>
<fix>
- Limit the default TLS ciphers to those currently considered secure.
- (markt)
+ Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to
+ those currently considered secure. (markt)
</fix>
<add>
Add a new environment variable <code>JSSE_OPTS</code> that is intended
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1737253&r1=1737252&r2=1737253&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 15:52:41 2016
@@ -1259,9 +1259,8 @@
<attribute name="SSLCipherSuite" required="false">
<p>Ciphers which may be used for communicating with clients. The default
- is "ALL", with other acceptable values being a list of ciphers, with ":"
- used as the delimiter (see OpenSSL documentation for the list of ciphers
- supported).</p>
+ is "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA". See the OpenSSL
+ documentation for details of the cipher configuration options.</p>
</attribute>
<attribute name="SSLDisableCompression" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org