You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 13:08:12 UTC
svn commit: r1737224 - in /tomcat/tc8.0.x/trunk:
java/org/apache/tomcat/util/net/AbstractEndpoint.java
webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Thu Mar 31 11:08:11 2016
New Revision: 1737224
URL: http://svn.apache.org/viewvc?rev=1737224&view=rev
Log:
Default ciphers +="!kRSA"
SSL Labs now reports a A grade for the default TLS config for JSSE and APR/native with Jaav 7 and 8.
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Thu Mar 31 11:08:11 2016
@@ -53,7 +53,7 @@ public abstract class AbstractEndpoint<S
// -------------------------------------------------------------- Constants
- protected static final String DEFAULT_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5";
+ protected static final String DEFAULT_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
protected static final StringManager sm = StringManager.getManager("org.apache.tomcat.util.net.res");
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 11:08:11 2016
@@ -84,6 +84,10 @@
The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
which protects against weak Diffie-Hellman keys with Java 8. (markt)
</add>
+ <update>
+ Exclude ciphers that use RSA keys from the default cipher list since
+ they do not support forward secrecy. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Tribes">
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 11:08:11 2016
@@ -1121,7 +1121,9 @@
of ciphers supported and the syntax). The behaviour of this filtering is
kept aligned with the behaviour of the OpenSSL 1.0.2 stable branch.</p>
<p>If not specified, a default (using the OpenSSL notation) of
- <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> will be used.</p>
+ <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be used
+ when running on Java 8 or later. On Java 7, <code>!DHE</code> will be
+ added to this default when using a JSSE based connector.</p>
<p>Note that Java does not treat the order in which ciphers are defined as
an order of preference. See <code>useServerCipherSuitesOrder</code>.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org