Author: remm Date: Thu Nov 23 14:28:53 2017 New Revision: 1816157 URL: http://svn.apache.org/viewvc?rev=1816157&view=rev Log: 61803: Remove outdated security considerations on SSL options. They changed, and the default is now secure, so it should be ok to drop them.
Modified: tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/security-howto.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1816157&r1=1816156&r2=1816157&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Nov 23 14:28:53 2017 @@ -285,6 +285,10 @@ the Publisher when Tomcat is displayed in the list of installed applications in Microsoft Windows. (kkolinko) </update> + <fix> + <bug>61803</bug>: Remove outdated SSL information from the Security + documentation. (remm) + </fix> </changelog> </subsection> </section> Modified: tomcat/trunk/webapps/docs/security-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1816157&r1=1816156&r2=1816157&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/security-howto.xml (original) +++ tomcat/trunk/webapps/docs/security-howto.xml Thu Nov 23 14:28:53 2017 @@ -301,28 +301,6 @@ proxy uses AJP then the SSL attributes of the client connection are passed via the AJP protocol and separate connectors are not needed.</p> - <p>The <strong>sslEnabledProtocols</strong> attribute determines which - versions of the SSL/TLS protocol are used. Since the POODLE attack in - 2014, all SSL protocols are considered unsafe and a secure setting for - this attribute in a standalone Tomcat setup might be - <code>sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"</code></p> - - <p>The <strong>ciphers</strong> attribute controls the ciphers used for - SSL connections. By default, the default ciphers for the JVM will be used. - This usually means that the weak export grade ciphers will be included in - the list of available ciphers. Secure environments will normally want to - configure a more limited set of ciphers. This attribute accepts the - <a href="https://www.openssl.org/docs/apps/ciphers.html" target="_blank" - rel="nofollow"> - OpenSSL syntax</a> for including/excluding cipher suites. - As of 2014-11-19, with standalone Tomcat 8 and Java 8, Forward Secrecy - can be achieved by specifying only TLS protocols using - the sslEnabledProtocols attribute (above) and excluding non-DH ciphers, - and weak/broken ciphers. The - <a href="https://www.ssllabs.com/ssltest/index.html" target="_blank" - rel="nofollow">Qualys SSL/TLS test</a> is a useful tool for - configuring these settings.</p> - <p>The <strong>tomcatAuthentication</strong> and <strong>tomcatAuthorization</strong> attributes are used with the AJP connectors to determine if Tomcat should handle all authentication and --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org