DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35765>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35765 Summary: make the SSL cipher config in web.xml fail safe, i.e. 128+ bit strength by default Product: Tomcat 5 Version: Nightly Build Platform: Other URL: http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/ JSSERefGuide.html#AppA OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Connector:Coyote AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] When just taking the samples, even null ciphers are accepted! How about 1) defining a default cipher suite equivalent to the "MEDIUM:HIGH" of openssl (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS) that is also used by the apache httpd (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite) 2) changing org.apache.tomcat.util.net.jsse.JSSESocketFactory.getEnabledCiphers for the case that requestedCiphers == null not simply do a enabledCiphers = supportedCiphers; but use this fail-safe default cipher suite (based upon the above-referenced JSSERefGuide.html)? as a quick-fix, I suggest to add a well-visible warning to ssl-howto.xml -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]