This is an automated email from the ASF dual-hosted git repository. wujimin pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/servicecomb-docs.git
The following commit(s) were added to refs/heads/master by this push: new e32f04b remove weak TLS cipher suits from default config e32f04b is described below commit e32f04be738be66edc2dd119ca54c08bf460c49c Author: yaohaishi <yaohai...@huawei.com> AuthorDate: Sun May 5 17:57:25 2019 +0800 remove weak TLS cipher suits from default config --- java-chassis-reference/en_US/security/tls.md | 12 +++++------- java-chassis-reference/zh_CN/security/tls.md | 5 +---- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/java-chassis-reference/en_US/security/tls.md b/java-chassis-reference/en_US/security/tls.md index 22bfae6..adf91e8 100755 --- a/java-chassis-reference/en_US/security/tls.md +++ b/java-chassis-reference/en_US/security/tls.md @@ -54,15 +54,13 @@ Generally, there is no need to configure tags. The normal situation is divided i The certificate configuration items are shown in Table 1. Certificate Configuration Item Description Table. **Table 1 Certificate Configuration Item Description Table** -| Configuration Item | Default Value | Range of Value | Required | Meaning | +| Configuration Item | Default Value | Range of Value | Required | Meaning | Caution | | :--- | :--- | :--- | :--- | :--- | :--- | -Ssl.engine| jdk | - | No | ssl protocol, provide jdk/openssl options | default jdk | -| ssl.protocols | TLSv1.2 | - | No | Protocol List | Separated by Comma | -| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH \_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | No| -List of laws | separated by commas | +| Ssl.engine| jdk | - | No | ssl protocol, provide jdk/openssl options | default jdk | +| ssl.protocols | TLSv1.2 | - | No | Protocol List | separated by comma | +| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH \_AES\_128\_GCM\_SHA256 | - | No| List of laws | separated by comma | | ssl.authPeer | true | - | No | Whether to authenticate the peer | - | -ssl.checkCN.host | true | - | No | Check whether the CN of the certificate is checked. This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to > -Standard definition: [https://tools.ietf.org/html/rfc2818. ](https://tools.ietf.org/html/rfc2818.) | +| ssl.checkCN.host | true | - | No | Check whether the CN of the certificate is checked. | This configuration item is valid only on the Consumer side and is valid using the http protocol. That is, the Consusser side uses the rest channel. Invalid for Provider, highway, etc. The purpose of checking CN is to prevent the server from being phishing, refer to Standard definition: [https://tools.ietf.org/html/rfc2818. ](https://tools.ietf.org/html/rfc2818.) | | ssl.trustStore | trust.jks | - | No | Trust certificate file | - | | ssl.trustStoreType | JKS | - | No | Trust Certificate Type | - | | ssl.trustStoreValue | - | - | No | Trust Certificate Password | - | diff --git a/java-chassis-reference/zh_CN/security/tls.md b/java-chassis-reference/zh_CN/security/tls.md index 0c4fa6d..892ea6a 100644 --- a/java-chassis-reference/zh_CN/security/tls.md +++ b/java-chassis-reference/zh_CN/security/tls.md @@ -58,7 +58,7 @@ ssl.[tag].[property] | :--- | :--- | :--- | :--- | :--- | :--- | | ssl.engine| jdk | - | 否 | ssl协议,提供jdk/openssl选择 | 默认为jdk | | ssl.protocols | TLSv1.2 | - | 否 | 协议列表 | 使用逗号分隔 | -| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256,<br/>TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | 否 | 算法列表 | 使用逗号分隔 | +| ssl.ciphers | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384,<br/>TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | - | 否 | 算法列表 | 使用逗号分隔 | | ssl.authPeer | true | - | 否 | 是否认证对端 | - | | ssl.checkCN.host | true | - | 否 | 是否对证书的CN进行检查 | 该配置项只对Consumer端,并且使用http协议有效,即Consumser端使用rest通道有效。对于Provider端、highway通道等无效。检查CN的目的是防止服务器被钓鱼,参考标准定义:[https://tools.ietf.org/html/rfc2818。](https://tools.ietf.org/html/rfc2818。) | | ssl.trustStore | trust.jks | - | 否 | 信任证书文件 | - | @@ -106,6 +106,3 @@ ssl.keyStoreValue: Changeme_123 ssl.crl: revoke.crl ssl.sslCustomClass: org.apache.servicecomb.demo.DemoSSLCustom ``` - - -