You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 15:47:30 UTC

svn commit: r1737241 - in /tomcat/tc8.5.x/trunk: java/org/apache/tomcat/util/compat/ java/org/apache/tomcat/util/net/ webapps/docs/

Author: markt
Date: Thu Mar 31 13:47:30 2016
New Revision: 1737241

URL: http://svn.apache.org/viewvc?rev=1737241&view=rev
Log:
Exclude weak DH keys for JSSE when running on Java 7.
This improves the SSL Labs score for the default config to A.

Added:
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
      - copied unchanged from r1737212, tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/Jre8Compat.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
      - copied unchanged from r1737212, tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/JreCompat.java
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
      - copied unchanged from r1737212, tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/compat/LocalStrings.properties
Modified:
    tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1737241&r1=1737240&r2=1737241&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Thu Mar 31 13:47:30 2016
@@ -30,6 +30,7 @@ import javax.net.ssl.TrustManagerFactory
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
 import org.apache.tomcat.util.net.openssl.ciphers.OpenSSLCipherConfigurationParser;
 import org.apache.tomcat.util.res.StringManager;
@@ -42,6 +43,8 @@ public class SSLHostConfig {
     private static final Log log = LogFactory.getLog(SSLHostConfig.class);
     private static final StringManager sm = StringManager.getManager(SSLHostConfig.class);
 
+    private static final String DEFAULT_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+
     protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
     protected static final Set<String> SSL_PROTO_ALL = new HashSet<>();
 
@@ -81,7 +84,7 @@ public class SSLHostConfig {
     private String certificateRevocationListFile;
     private CertificateVerification certificateVerification = CertificateVerification.NONE;
     private int certificateVerificationDepth = 10;
-    private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+    private String ciphers;
     private LinkedHashSet<Cipher> cipherList = null;
     private List<String> jsseCipherNames = null;
     private boolean honorCipherOrder = false;
@@ -320,13 +323,21 @@ public class SSLHostConfig {
      * @return An OpenSSL cipher string for the current configuration.
      */
     public String getCiphers() {
+        if (ciphers == null) {
+            if (!JreCompat.isJre8Available() && Type.JSSE.equals(configType)) {
+                ciphers = DEFAULT_CIPHERS + ":!DHE";
+            } else {
+                ciphers = DEFAULT_CIPHERS;
+            }
+
+        }
         return ciphers;
     }
 
 
     public LinkedHashSet<Cipher> getCipherList() {
         if (cipherList == null) {
-            cipherList = OpenSSLCipherConfigurationParser.parse(ciphers);
+            cipherList = OpenSSLCipherConfigurationParser.parse(getCiphers());
         }
         return cipherList;
     }

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737241&r1=1737240&r2=1737241&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 13:47:30 2016
@@ -93,6 +93,11 @@
         The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
         which protects against weak Diffie-Hellman keys. (markt)
       </add>
+      <fix>
+        When running on Java 7, exclude DHE ciphers from the default cipher list
+        for JSSE connectors since they use weak 768 bit DH keys and cannot be
+        configured to use more secure keys. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="WebSocket">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org