Author: markt Date: Thu Mar 31 15:52:41 2016 New Revision: 1737253 URL: http://svn.apache.org/viewvc?rev=1737253&view=rev Log: Better default ciphers for APR/OpenSSL
Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1737253&r1=1737252&r2=1737253&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Thu Mar 31 15:52:41 2016 @@ -243,7 +243,7 @@ public class AprEndpoint extends Abstrac /** * SSL cipher suite. */ - protected String SSLCipherSuite = "ALL"; + protected String SSLCipherSuite = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; public String getSSLCipherSuite() { return SSLCipherSuite; } public void setSSLCipherSuite(String SSLCipherSuite) { this.SSLCipherSuite = SSLCipherSuite; } Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1737253&r1=1737252&r2=1737253&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 15:52:41 2016 @@ -164,8 +164,8 @@ (markt) </fix> <fix> - Limit the default TLS ciphers to those currently considered secure. - (markt) + Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to + those currently considered secure. (markt) </fix> <add> Add a new environment variable <code>JSSE_OPTS</code> that is intended Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml?rev=1737253&r1=1737252&r2=1737253&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 15:52:41 2016 @@ -1259,9 +1259,8 @@ <attribute name="SSLCipherSuite" required="false"> <p>Ciphers which may be used for communicating with clients. The default - is "ALL", with other acceptable values being a list of ciphers, with ":" - used as the delimiter (see OpenSSL documentation for the list of ciphers - supported).</p> + is "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA". See the OpenSSL + documentation for details of the cipher configuration options.</p> </attribute> <attribute name="SSLDisableCompression" required="false"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org