You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/03/31 11:57:37 UTC
svn commit: r1737212 - in /tomcat/tc8.0.x/trunk: java/org/apache/tomcat/util/net/JIoEndpoint.java java/org/apache/tomcat/util/net/Nio2Endpoint.java java/org/apache/tomcat/util/net/NioEndpoint.java webapps/docs/changelog.xml

Author: markt
Date: Thu Mar 31 09:57:37 2016
New Revision: 1737212

URL: http://svn.apache.org/viewvc?rev=1737212&view=rev
Log:
Exclude weak DH keys for JSSE when running on Java 7.
This improves the SSL Labs score for the default config to A-.

Modified:
    tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
    tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
    tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
    tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java Thu Mar 31 09:57:37 2016
@@ -27,6 +27,7 @@ import java.util.concurrent.RejectedExec
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.jsse.JSSESocketFactory;
 
@@ -71,6 +72,11 @@ public class JIoEndpoint extends Abstrac
         // Reduce the executor timeout for BIO as threads in keep-alive will not
         // terminate when the executor interrupts them.
         setExecutorTerminationTimeoutMillis(0);
+        // If running on Java 7, the insecure DHE ciphers need to be excluded by
+        // default
+        if (!JreCompat.isJre8Available()) {
+            setCiphers(DEFAULT_CIPHERS + ":!DHE");
+        }
     }
 
     // ------------------------------------------------------------- Properties

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Thu Mar 31 09:57:37 2016
@@ -46,6 +46,7 @@ import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.SecureNio2Channel.ApplicationBufferHandler;
 import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
@@ -120,9 +121,19 @@ public class Nio2Endpoint extends Abstra
     private SynchronizedStack<Nio2Channel> nioChannels;
 
 
-    // ------------------------------------------------------------- Properties
+    // ------------------------------------------------------------ Constructor
+
+    public Nio2Endpoint() {
+        // If running on Java 7, the insecure DHE ciphers need to be excluded by
+        // default
+        if (!JreCompat.isJre8Available()) {
+            setCiphers(DEFAULT_CIPHERS + ":!DHE");
+        }
+    }
 
 
+    // ------------------------------------------------------------- Properties
+
     /**
      * Use the object caches to reduce GC at the expense of additional memory use.
      */

Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java (original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu Mar 31 09:57:37 2016
@@ -55,6 +55,7 @@ import org.apache.tomcat.util.ExceptionU
 import org.apache.tomcat.util.IntrospectionUtils;
 import org.apache.tomcat.util.collections.SynchronizedQueue;
 import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JreCompat;
 import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
 import org.apache.tomcat.util.net.SecureNioChannel.ApplicationBufferHandler;
 import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
@@ -143,9 +144,19 @@ public class NioEndpoint extends Abstrac
     private SynchronizedStack<NioChannel> nioChannels;
 
 
-    // ------------------------------------------------------------- Properties
+    // ------------------------------------------------------------ Constructor
+
+    public NioEndpoint() {
+        // If running on Java 7, the insecure DHE ciphers need to be excluded by
+        // default
+        if (!JreCompat.isJre8Available()) {
+            setCiphers(DEFAULT_CIPHERS + ":!DHE");
+        }
+    }
 
 
+    // ------------------------------------------------------------- Properties
+
     /**
      * Generic properties, introspected
      */

Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 09:57:37 2016
@@ -71,6 +71,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Coyote">
+    <changelog>
+      <fix>
+        When running on Java 7, exclude DHE ciphers from the default cipher list
+        for JSSE connectors since they use weak 768 bit DH keys and cannot be
+        configured to use more secure keys. (markt) 
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Tribes">
     <changelog>
       <fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org