You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/08/01 21:11:28 UTC

svn commit: r1615206 - in /tomcat/trunk: conf/catalina.properties java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java webapps/docs/config/systemprops.xml

Author: markt
Date: Fri Aug  1 19:11:28 2014
New Revision: 1615206

URL: http://svn.apache.org/r1615206
Log:
The DEFAULT alias has a specific, expected meaning. Don't make it configurable.

Modified:
    tomcat/trunk/conf/catalina.properties
    tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
    tomcat/trunk/webapps/docs/config/systemprops.xml

Modified: tomcat/trunk/conf/catalina.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.properties?rev=1615206&r1=1615205&r2=1615206&view=diff
==============================================================================
--- tomcat/trunk/conf/catalina.properties (original)
+++ tomcat/trunk/conf/catalina.properties Fri Aug  1 19:11:28 2014
@@ -126,11 +126,6 @@ xom-*.jar
 # scan types by configuring a JarScanner with a nested JarScanFilter.
 tomcat.util.scan.StandardJarScanFilter.jarsToScan=log4j-core*.jar,log4j-taglib*.jar
 
-# Default SSL cipher suite
-# Other OpenSSL syntax cipher suites that can be used in Tomcat:
-# https://wiki.mozilla.org/Security/Server_Side_TLS
-tomcat.ssl.ciphers=HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5
-
 # String cache configuration.
 tomcat.util.buf.StringCache.byte.enabled=true
 #tomcat.util.buf.StringCache.char.enabled=true

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1615206&r1=1615205&r2=1615206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java Fri Aug  1 19:11:28 2014
@@ -40,11 +40,6 @@ public class OpenSSLCipherConfigurationP
     private static final StringManager sm =
             StringManager.getManager("org.apache.tomcat.util.net.jsse.res");
 
-    /**
-     * System property key to define the DEFAULT ciphers.
-     */
-    public static final String DEFAULT_EXPRESSION_KEY = "openssl.default.ciphers";
-
     private static boolean initialized = false;
 
     private static final String SEPARATOR = ":|,| ";
@@ -461,10 +456,10 @@ public class OpenSSLCipherConfigurationP
         addListAlias(KRB5, filter(allCiphers, null, Collections.singleton(KeyExchange.KRB5), Collections.singleton(Authentication.KRB5), null, null, null));
         initialized = true;
         // Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
-        String defaultExpression = System.getProperty(DEFAULT_EXPRESSION_KEY, "ALL:!eNULL:!aNULL:!SSLv2");
-        addListAlias(DEFAULT, parse(defaultExpression));
+        addListAlias(DEFAULT, parse("ALL:!eNULL:!aNULL:!SSLv2"));
         LinkedHashSet<Cipher> complementOfDefault = new LinkedHashSet<>(all);
         complementOfDefault.removeAll(aliases.get(DEFAULT));
+        complementOfDefault.removeAll(aliases.get(SSLv2));
         addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
     }
 

Modified: tomcat/trunk/webapps/docs/config/systemprops.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/systemprops.xml?rev=1615206&r1=1615205&r2=1615206&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/systemprops.xml (original)
+++ tomcat/trunk/webapps/docs/config/systemprops.xml Fri Aug  1 19:11:28 2014
@@ -611,10 +611,6 @@
       <p>The URL for the catalina.properties configuration file.</p>
     </property>
 
-    <property name="tomcat.ssl.ciphers">
-      <p>The default cipher suite that will be used by the endpoints.</p>
-    </property>
-
     <property name="tomcat.util.buf.StringCache.byte.enabled">
       <p>If <code>true</code>, the String cache is enabled for
       <code>ByteChunk</code>.</p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org