You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/08/01 21:11:28 UTC
svn commit: r1615206 - in /tomcat/trunk: conf/catalina.properties
java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
webapps/docs/config/systemprops.xml
Author: markt
Date: Fri Aug 1 19:11:28 2014
New Revision: 1615206
URL: http://svn.apache.org/r1615206
Log:
The DEFAULT alias has a specific, expected meaning. Don't make it configurable.
Modified:
tomcat/trunk/conf/catalina.properties
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
tomcat/trunk/webapps/docs/config/systemprops.xml
Modified: tomcat/trunk/conf/catalina.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.properties?rev=1615206&r1=1615205&r2=1615206&view=diff
==============================================================================
--- tomcat/trunk/conf/catalina.properties (original)
+++ tomcat/trunk/conf/catalina.properties Fri Aug 1 19:11:28 2014
@@ -126,11 +126,6 @@ xom-*.jar
# scan types by configuring a JarScanner with a nested JarScanFilter.
tomcat.util.scan.StandardJarScanFilter.jarsToScan=log4j-core*.jar,log4j-taglib*.jar
-# Default SSL cipher suite
-# Other OpenSSL syntax cipher suites that can be used in Tomcat:
-# https://wiki.mozilla.org/Security/Server_Side_TLS
-tomcat.ssl.ciphers=HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5
-
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1615206&r1=1615205&r2=1615206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java Fri Aug 1 19:11:28 2014
@@ -40,11 +40,6 @@ public class OpenSSLCipherConfigurationP
private static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
- /**
- * System property key to define the DEFAULT ciphers.
- */
- public static final String DEFAULT_EXPRESSION_KEY = "openssl.default.ciphers";
-
private static boolean initialized = false;
private static final String SEPARATOR = ":|,| ";
@@ -461,10 +456,10 @@ public class OpenSSLCipherConfigurationP
addListAlias(KRB5, filter(allCiphers, null, Collections.singleton(KeyExchange.KRB5), Collections.singleton(Authentication.KRB5), null, null, null));
initialized = true;
// Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
- String defaultExpression = System.getProperty(DEFAULT_EXPRESSION_KEY, "ALL:!eNULL:!aNULL:!SSLv2");
- addListAlias(DEFAULT, parse(defaultExpression));
+ addListAlias(DEFAULT, parse("ALL:!eNULL:!aNULL:!SSLv2"));
LinkedHashSet<Cipher> complementOfDefault = new LinkedHashSet<>(all);
complementOfDefault.removeAll(aliases.get(DEFAULT));
+ complementOfDefault.removeAll(aliases.get(SSLv2));
addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
}
Modified: tomcat/trunk/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/systemprops.xml?rev=1615206&r1=1615205&r2=1615206&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/trunk/webapps/docs/config/systemprops.xml Fri Aug 1 19:11:28 2014
@@ -611,10 +611,6 @@
<p>The URL for the catalina.properties configuration file.</p>
</property>
- <property name="tomcat.ssl.ciphers">
- <p>The default cipher suite that will be used by the endpoints.</p>
- </property>
-
<property name="tomcat.util.buf.StringCache.byte.enabled">
<p>If <code>true</code>, the String cache is enabled for
<code>ByteChunk</code>.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org