You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by vi...@apache.org on 2016/03/22 08:37:22 UTC

svn commit: r1736145 - in /tomcat/trunk: conf/server.xml webapps/docs/changelog.xml

Author: violetagg
Date: Tue Mar 22 07:37:21 2016
New Revision: 1736145

URL: http://svn.apache.org/viewvc?rev=1736145&view=rev
Log:
Remove honorCipherOrder="false" from the server.xml.
When the block is uncommented the implementation will use the default which is honorCipherOrder="true"
Patch provided by Huxing Zhang

Modified:
    tomcat/trunk/conf/server.xml
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/conf/server.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1736145&r1=1736144&r2=1736145&view=diff
==============================================================================
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Tue Mar 22 07:37:21 2016
@@ -98,7 +98,7 @@
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                maxThreads="150" SSLEnabled="true" >
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-        <SSLHostConfig honorCipherOrder="false" >
+        <SSLHostConfig>
             <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                          certificateFile="conf/localhost-rsa-cert.pem"
                          certificateChainFile="conf/localhost-rsa-chain.pem"

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1736145&r1=1736144&r2=1736145&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Mar 22 07:37:21 2016
@@ -82,6 +82,18 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Other">
+    <changelog>
+      <fix>
+        <bug>59209<bug>: Remove <code>honorCipherOrder=false</code> attribute
+        from the connector example in server.xml. When the block is uncommented
+        the connector will use the default value for this attribute which is
+        <code>true</code>. If one needs to disable it, one can add it
+        explicitly to the connector definition. Patch is provided by Huxing
+        Zhang. (violetagg)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 9.0.0.M4" rtext="2016-03-16">
   <subsection name="Catalina">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1736145 - in /tomcat/trunk: conf/server.xml webapps/docs/changelog.xml

Posted by Violeta Georgieva <mi...@gmail.com>.

Hi,

2016-03-22 18:04 GMT+02:00 Mark Thomas <ma...@apache.org>:
>
> On 22/03/2016 07:37, violetagg@apache.org wrote:
> > Author: violetagg
> > Date: Tue Mar 22 07:37:21 2016
> > New Revision: 1736145
> >
> > URL: http://svn.apache.org/viewvc?rev=1736145&view=rev
> > Log:
> > Remove honorCipherOrder="false" from the server.xml.
> > When the block is uncommented the implementation will use the default
which is honorCipherOrder="true"
> > Patch provided by Huxing Zhang
>
> I'm not sure this is entirely the right approach.
>
> honorCipherOrder was more necessary a few years ago when servers
> supported weak ciphers and clients asked for them early in the priority
> list. The TLS landscape has changed a lot since then.
>
> I think we can make the default for honorCipherOrder false.

I reverted this in Tomcat 9.0.0

Regards,
Violeta

> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>

Re: svn commit: r1736145 - in /tomcat/trunk: conf/server.xml webapps/docs/changelog.xml

Posted by Mark Thomas <ma...@apache.org>.

On 22/03/2016 07:37, violetagg@apache.org wrote:
> Author: violetagg
> Date: Tue Mar 22 07:37:21 2016
> New Revision: 1736145
> 
> URL: http://svn.apache.org/viewvc?rev=1736145&view=rev
> Log:
> Remove honorCipherOrder="false" from the server.xml.
> When the block is uncommented the implementation will use the default which is honorCipherOrder="true"
> Patch provided by Huxing Zhang

I'm not sure this is entirely the right approach.

honorCipherOrder was more necessary a few years ago when servers
supported weak ciphers and clients asked for them early in the priority
list. The TLS landscape has changed a lot since then.

I think we can make the default for honorCipherOrder false.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org