You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2022/03/17 13:58:51 UTC
[tomcat] branch main updated: Use a constant for the cipher suite
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 49b5aac Use a constant for the cipher suite
49b5aac is described below
commit 49b5aac59a5db551383868ccd66f3e5513fe109a
Author: remm <re...@apache.org>
AuthorDate: Thu Mar 17 14:56:44 2022 +0100
Use a constant for the cipher suite
This will allow skipping setting it when it is known to be useless
(example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
---
java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++-
webapps/docs/changelog.xml | 9 +++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 2c1c0c3..af60ecc 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable {
// keys in Maps.
protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
+ public static final String DEFAULT_TLS_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
static {
/* Default used if protocols are not configured, also used if
@@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable {
private int certificateVerificationDepth = 10;
// Used to track if certificateVerificationDepth has been explicitly set
private boolean certificateVerificationDepthConfigured = false;
- private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+ private String ciphers = DEFAULT_TLS_CIPHERS;
private LinkedHashSet<Cipher> cipherList = null;
private List<String> jsseCipherNames = null;
private boolean honorCipherOrder = false;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 64ff59b..47da205 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -136,6 +136,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ Use a constant for the default TLS cipher suite. This will allow
+ skipping setting it in some cases (for example, it does not make
+ sense for OpenSSL TLS 1.3). (remm)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org