This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new d96c834d4a Refactor default cipher lists
d96c834d4a is described below
commit d96c834d4a80d79fd6d136bf4c6aab4fcd43d94f
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Dec 19 12:50:26 2025 +0000
Refactor default cipher lists
---
java/org/apache/tomcat/util/net/SSLHostConfig.java | 11 ++++++++---
java/org/apache/tomcat/util/net/SSLUtilBase.java | 2 +-
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 2bafe94984..ad85978dde 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -57,9 +57,14 @@ public class SSLHostConfig implements Serializable {
// keys in Maps.
protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
- protected static final String DEFAULT_TLS_12_BELOW_CIPHERS =
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
- protected static final String DEFAULT_TLS_13_ABOVE_CIPHERS =
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
- public static final String DEFAULT_TLS_CIPHERS =
DEFAULT_TLS_12_BELOW_CIPHERS + ":" + DEFAULT_TLS_13_ABOVE_CIPHERS;
+ public static final String DEFAULT_TLS_CIPHERS_12 =
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+ public static final String DEFAULT_TLS_CIPHERS_13 =
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+ /**
+ * Default cipher list for TLS 1.2 and below.
+ * @deprecated Replaced by {@link #DEFAULT_TLS_CIPHERS_12}
+ */
+ @Deprecated
+ public static final String DEFAULT_TLS_CIPHERS = DEFAULT_TLS_CIPHERS_12;
static {
/*
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index e24d581fef..0325324f70 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -129,7 +129,7 @@ public abstract class SSLUtilBase implements SSLUtil {
// OpenSSL profiles cannot be resolved without Java 22
this.enabledCiphers = new String[0];
} else {
- boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
+ boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS_12);
List<String> configuredCiphers =
sslHostConfig.getJsseCipherNames();
Set<String> implementedCiphers = getImplementedCiphers();
List<String> enabledCiphers =
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
