You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2017/11/23 14:28:53 UTC
svn commit: r1816157 - in /tomcat/trunk/webapps/docs: changelog.xml
security-howto.xml
Author: remm
Date: Thu Nov 23 14:28:53 2017
New Revision: 1816157
URL: http://svn.apache.org/viewvc?rev=1816157&view=rev
Log:
61803: Remove outdated security considerations on SSL options. They changed, and the default is now secure, so it should be ok to drop them.
Modified:
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1816157&r1=1816156&r2=1816157&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Nov 23 14:28:53 2017
@@ -285,6 +285,10 @@
the Publisher when Tomcat is displayed in the list of installed
applications in Microsoft Windows. (kkolinko)
</update>
+ <fix>
+ <bug>61803</bug>: Remove outdated SSL information from the Security
+ documentation. (remm)
+ </fix>
</changelog>
</subsection>
</section>
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1816157&r1=1816156&r2=1816157&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Thu Nov 23 14:28:53 2017
@@ -301,28 +301,6 @@
proxy uses AJP then the SSL attributes of the client connection are
passed via the AJP protocol and separate connectors are not needed.</p>
- <p>The <strong>sslEnabledProtocols</strong> attribute determines which
- versions of the SSL/TLS protocol are used. Since the POODLE attack in
- 2014, all SSL protocols are considered unsafe and a secure setting for
- this attribute in a standalone Tomcat setup might be
- <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p>
-
- <p>The <strong>ciphers</strong> attribute controls the ciphers used for
- SSL connections. By default, the default ciphers for the JVM will be used.
- This usually means that the weak export grade ciphers will be included in
- the list of available ciphers. Secure environments will normally want to
- configure a more limited set of ciphers. This attribute accepts the
- <a href="https://www.openssl.org/docs/apps/ciphers.html" target="_blank"
- rel="nofollow">
- OpenSSL syntax</a> for including/excluding cipher suites.
- As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy
- can be achieved by specifying only TLS protocols using
- the sslEnabledProtocols attribute (above) and excluding non-DH ciphers,
- and weak/broken ciphers. The
- <a href="https://www.ssllabs.com/ssltest/index.html" target="_blank"
- rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for
- configuring these settings.</p>
-
<p>The <strong>tomcatAuthentication</strong> and
<strong>tomcatAuthorization</strong> attributes are used with the
AJP connectors to determine if Tomcat should handle all authentication and
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org