You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 15:47:30 UTC
svn commit: r1737241 - in /tomcat/tc8.5.x/trunk:
java/org/apache/tomcat/util/compat/ java/org/apache/tomcat/util/net/
webapps/docs/
Author: markt
Date: Thu Mar 31 13:47:30 2016
New Revision: 1737241
URL: http://svn.apache.org/viewvc?rev=1737241&view=rev
Log:
Exclude weak DH keys for JSSE when running on Java 7.
This improves the SSL Labs score for the default config to A.
Added:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
- copied unchanged from r1737212, tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
- copied unchanged from r1737212, tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
- copied unchanged from r1737212, tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
Modified:
tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1737241&r1=1737240&r2=1737241&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Mar 31 13:47:30 2016
@@ -30,6 +30,7 @@ import javax.net.ssl.TrustManagerFactory
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
import org.apache.tomcat.util.res.StringManager;
@@ -42,6 +43,8 @@ public class SSLHostConfig {
private static final Log log = LogFactory.getLog(SSLHostConfig.class);
private static final StringManager sm = StringManager.getManager(SSLHostConfig.class);
+ private static final String DEFAULT_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+
protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
protected static final Set<String> SSL_PROTO_ALL = new HashSet<>();
@@ -81,7 +84,7 @@ public class SSLHostConfig {
private String certificateRevocationListFile;
private CertificateVerification certificateVerification = CertificateVerification.NONE;
private int certificateVerificationDepth = 10;
- private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+ private String ciphers;
private LinkedHashSet<Cipher> cipherList = null;
private List<String> jsseCipherNames = null;
private boolean honorCipherOrder = false;
@@ -320,13 +323,21 @@ public class SSLHostConfig {
* @return An OpenSSL cipher string for the current configuration.
*/
public String getCiphers() {
+ if (ciphers == null) {
+ if (!JreCompat.isJre8Available() && Type.JSSE.equals(configType)) {
+ ciphers = DEFAULT_CIPHERS + ":!DHE";
+ } else {
+ ciphers = DEFAULT_CIPHERS;
+ }
+
+ }
return ciphers;
}
public LinkedHashSet<Cipher> getCipherList() {
if (cipherList == null) {
- cipherList = OpenSSLCipherConfigurationParser.parse(ciphers);
+ cipherList = OpenSSLCipherConfigurationParser.parse(getCiphers());
}
return cipherList;
}
Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737241&r1=1737240&r2=1737241&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 13:47:30 2016
@@ -93,6 +93,11 @@
The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
which protects against weak Diffie-Hellman keys. (markt)
</add>
+ <fix>
+ When running on Java 7, exclude DHE ciphers from the default cipher list
+ for JSSE connectors since they use weak 768 bit DH keys and cannot be
+ configured to use more secure keys. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org