You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2022/03/17 14:01:14 UTC
[tomcat] branch 10.0.x updated: Use a constant for the cipher suite
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 73bf00c Use a constant for the cipher suite
73bf00c is described below
commit 73bf00ca008b53dae8e95f75a8cdc0dd36c1fe2e
Author: remm <re...@apache.org>
AuthorDate: Thu Mar 17 14:56:44 2022 +0100
Use a constant for the cipher suite
This will allow skipping setting it when it is known to be useless
(example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
---
java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++-
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 2c1c0c3..af60ecc 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable {
// keys in Maps.
protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
+ public static final String DEFAULT_TLS_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
static {
/* Default used if protocols are not configured, also used if
@@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable {
private int certificateVerificationDepth = 10;
// Used to track if certificateVerificationDepth has been explicitly set
private boolean certificateVerificationDepthConfigured = false;
- private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+ private String ciphers = DEFAULT_TLS_CIPHERS;
private LinkedHashSet<Cipher> cipherList = null;
private List<String> jsseCipherNames = null;
private boolean honorCipherOrder = false;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 34f2c8f..67f8bcb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -131,6 +131,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Use a constant for the default TLS cipher suite. This will allow
+ skipping setting it in some cases (for example, it does not make
+ sense for OpenSSL TLS 1.3). (remm)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch 10.0.x updated: Use a constant for the cipher suite
Posted by Mark Thomas <ma...@apache.org>.
On 17/03/2022 14:07, Rémy Maucherat wrote:
> On Thu, Mar 17, 2022 at 3:01 PM <re...@apache.org> wrote:
>>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> remm pushed a commit to branch 10.0.x
>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>>
>>
>> The following commit(s) were added to refs/heads/10.0.x by this push:
>> new 73bf00c Use a constant for the cipher suite
>> 73bf00c is described below
>>
>> commit 73bf00ca008b53dae8e95f75a8cdc0dd36c1fe2e
>> Author: remm <re...@apache.org>
>> AuthorDate: Thu Mar 17 14:56:44 2022 +0100
>>
>> Use a constant for the cipher suite
>>
>> This will allow skipping setting it when it is known to be useless
>> (example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
>
> Oops, cherry picking this and pushing gives:
> remote: Internal Server Error
> To github.com:apache/tomcat.git
> ! [remote rejected] 9.0.x -> 9.0.x (Internal Server Error)
> error: failed to push some refs to 'github.com:apache/tomcat.git'
Strange. Want me to try?
Mark
>
> Sounds scary ...
>
> Rémy
>
>> ---
>> java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++-
>> webapps/docs/changelog.xml | 9 +++++++++
>> 2 files changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
>> index 2c1c0c3..af60ecc 100644
>> --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
>> +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
>> @@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable {
>> // keys in Maps.
>> protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
>> protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
>> + public static final String DEFAULT_TLS_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
>>
>> static {
>> /* Default used if protocols are not configured, also used if
>> @@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable {
>> private int certificateVerificationDepth = 10;
>> // Used to track if certificateVerificationDepth has been explicitly set
>> private boolean certificateVerificationDepthConfigured = false;
>> - private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
>> + private String ciphers = DEFAULT_TLS_CIPHERS;
>> private LinkedHashSet<Cipher> cipherList = null;
>> private List<String> jsseCipherNames = null;
>> private boolean honorCipherOrder = false;
>> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
>> index 34f2c8f..67f8bcb 100644
>> --- a/webapps/docs/changelog.xml
>> +++ b/webapps/docs/changelog.xml
>> @@ -131,6 +131,15 @@
>> </fix>
>> </changelog>
>> </subsection>
>> + <subsection name="Coyote">
>> + <changelog>
>> + <fix>
>> + Use a constant for the default TLS cipher suite. This will allow
>> + skipping setting it in some cases (for example, it does not make
>> + sense for OpenSSL TLS 1.3). (remm)
>> + </fix>
>> + </changelog>
>> + </subsection>
>> <subsection name="Other">
>> <changelog>
>> <fix>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch 10.0.x updated: Use a constant for the cipher suite
Posted by Rémy Maucherat <re...@apache.org>.
On Thu, Mar 17, 2022 at 3:01 PM <re...@apache.org> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> remm pushed a commit to branch 10.0.x
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/10.0.x by this push:
> new 73bf00c Use a constant for the cipher suite
> 73bf00c is described below
>
> commit 73bf00ca008b53dae8e95f75a8cdc0dd36c1fe2e
> Author: remm <re...@apache.org>
> AuthorDate: Thu Mar 17 14:56:44 2022 +0100
>
> Use a constant for the cipher suite
>
> This will allow skipping setting it when it is known to be useless
> (example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
Oops, cherry picking this and pushing gives:
remote: Internal Server Error
To github.com:apache/tomcat.git
! [remote rejected] 9.0.x -> 9.0.x (Internal Server Error)
error: failed to push some refs to 'github.com:apache/tomcat.git'
Sounds scary ...
Rémy
> ---
> java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++-
> webapps/docs/changelog.xml | 9 +++++++++
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
> index 2c1c0c3..af60ecc 100644
> --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
> +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
> @@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable {
> // keys in Maps.
> protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
> protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
> + public static final String DEFAULT_TLS_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
>
> static {
> /* Default used if protocols are not configured, also used if
> @@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable {
> private int certificateVerificationDepth = 10;
> // Used to track if certificateVerificationDepth has been explicitly set
> private boolean certificateVerificationDepthConfigured = false;
> - private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
> + private String ciphers = DEFAULT_TLS_CIPHERS;
> private LinkedHashSet<Cipher> cipherList = null;
> private List<String> jsseCipherNames = null;
> private boolean honorCipherOrder = false;
> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> index 34f2c8f..67f8bcb 100644
> --- a/webapps/docs/changelog.xml
> +++ b/webapps/docs/changelog.xml
> @@ -131,6 +131,15 @@
> </fix>
> </changelog>
> </subsection>
> + <subsection name="Coyote">
> + <changelog>
> + <fix>
> + Use a constant for the default TLS cipher suite. This will allow
> + skipping setting it in some cases (for example, it does not make
> + sense for OpenSSL TLS 1.3). (remm)
> + </fix>
> + </changelog>
> + </subsection>
> <subsection name="Other">
> <changelog>
> <fix>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org