You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2022/03/17 13:58:51 UTC

[tomcat] branch main updated: Use a constant for the cipher suite

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new 49b5aac  Use a constant for the cipher suite
49b5aac is described below

commit 49b5aac59a5db551383868ccd66f3e5513fe109a
Author: remm <re...@apache.org>
AuthorDate: Thu Mar 17 14:56:44 2022 +0100

    Use a constant for the cipher suite
    
    This will allow skipping setting it when it is known to be useless
    (example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
---
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++-
 webapps/docs/changelog.xml                         | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 2c1c0c3..af60ecc 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable {
     // keys in Maps.
     protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
     protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
+    public static final String DEFAULT_TLS_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
 
     static {
         /* Default used if protocols are not configured, also used if
@@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable {
     private int certificateVerificationDepth = 10;
     // Used to track if certificateVerificationDepth has been explicitly set
     private boolean certificateVerificationDepthConfigured = false;
-    private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+    private String ciphers = DEFAULT_TLS_CIPHERS;
     private LinkedHashSet<Cipher> cipherList = null;
     private List<String> jsseCipherNames = null;
     private boolean honorCipherOrder = false;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 64ff59b..47da205 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -136,6 +136,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        Use a constant for the default TLS cipher suite. This will allow
+        skipping setting it in some cases (for example, it does not make
+        sense for OpenSSL TLS 1.3). (remm)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <fix>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org