You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by vi...@apache.org on 2016/03/22 08:37:22 UTC
svn commit: r1736145 - in /tomcat/trunk: conf/server.xml
webapps/docs/changelog.xml
Author: violetagg
Date: Tue Mar 22 07:37:21 2016
New Revision: 1736145
URL: http://svn.apache.org/viewvc?rev=1736145&view=rev
Log:
Remove honorCipherOrder="false" from the server.xml.
When the block is uncommented the implementation will use the default which is honorCipherOrder="true"
Patch provided by Huxing Zhang
Modified:
tomcat/trunk/conf/server.xml
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/conf/server.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1736145&r1=1736144&r2=1736145&view=diff
==============================================================================
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Tue Mar 22 07:37:21 2016
@@ -98,7 +98,7 @@
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
- <SSLHostConfig honorCipherOrder="false" >
+ <SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1736145&r1=1736144&r2=1736145&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Mar 22 07:37:21 2016
@@ -82,6 +82,18 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Other">
+ <changelog>
+ <fix>
+ <bug>59209<bug>: Remove <code>honorCipherOrder=false</code> attribute
+ from the connector example in server.xml. When the block is uncommented
+ the connector will use the default value for this attribute which is
+ <code>true</code>. If one needs to disable it, one can add it
+ explicitly to the connector definition. Patch is provided by Huxing
+ Zhang. (violetagg)
+ </fix>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 9.0.0.M4" rtext="2016-03-16">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1736145 - in /tomcat/trunk: conf/server.xml webapps/docs/changelog.xml
Posted by Violeta Georgieva <mi...@gmail.com>.
Hi,
2016-03-22 18:04 GMT+02:00 Mark Thomas <ma...@apache.org>:
>
> On 22/03/2016 07:37, violetagg@apache.org wrote:
> > Author: violetagg
> > Date: Tue Mar 22 07:37:21 2016
> > New Revision: 1736145
> >
> > URL: http://svn.apache.org/viewvc?rev=1736145&view=rev
> > Log:
> > Remove honorCipherOrder="false" from the server.xml.
> > When the block is uncommented the implementation will use the default
which is honorCipherOrder="true"
> > Patch provided by Huxing Zhang
>
> I'm not sure this is entirely the right approach.
>
> honorCipherOrder was more necessary a few years ago when servers
> supported weak ciphers and clients asked for them early in the priority
> list. The TLS landscape has changed a lot since then.
>
> I think we can make the default for honorCipherOrder false.
I reverted this in Tomcat 9.0.0
Regards,
Violeta
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: svn commit: r1736145 - in /tomcat/trunk: conf/server.xml
webapps/docs/changelog.xml
Posted by Mark Thomas <ma...@apache.org>.
On 22/03/2016 07:37, violetagg@apache.org wrote:
> Author: violetagg
> Date: Tue Mar 22 07:37:21 2016
> New Revision: 1736145
>
> URL: http://svn.apache.org/viewvc?rev=1736145&view=rev
> Log:
> Remove honorCipherOrder="false" from the server.xml.
> When the block is uncommented the implementation will use the default which is honorCipherOrder="true"
> Patch provided by Huxing Zhang
I'm not sure this is entirely the right approach.
honorCipherOrder was more necessary a few years ago when servers
supported weak ciphers and clients asked for them early in the priority
list. The TLS landscape has changed a lot since then.
I think we can make the default for honorCipherOrder false.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org