http.xml

markt Wed, 30 Mar 2016 07:53:07 -0700

Author: markt
Date: Wed Mar 30 14:52:41 2016
New Revision: 1737117

URL: http://svn.apache.org/viewvc?rev=1737117&view=rev
Log:
Chnage honorCipherOrder default to false.


Modified:
    tomcat/trunk/conf/server.xml
    tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
    tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/http.xml

Modified: tomcat/trunk/conf/server.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/server.xml?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/conf/server.xml (original)
+++ tomcat/trunk/conf/server.xml Wed Mar 30 14:52:41 2016
@@ -98,7 +98,6 @@
     <Connector port="8443" 
protocol="org.apache.coyote.http11.Http11AprProtocol"
                maxThreads="150" SSLEnabled="true" >
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-        <SSLHostConfig honorCipherOrder="false" >
             <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                          certificateFile="conf/localhost-rsa-cert.pem"
                          certificateChainFile="conf/localhost-rsa-chain.pem"

Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java 
(original)
+++ tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java Wed Mar 
30 14:52:41 2016
@@ -66,8 +66,6 @@ import org.apache.tomcat.util.res.String
  * <br>
  * Note:
  * <ul>
- * <li>Tomcat needs to be configured with honorCipherOrder="false" otherwise
- *     Tomcat will prefer a cipher suite that is blacklisted by HTTP/2.</li>
  * <li>You will need to nest an &lt;UpgradeProtocol
  *     className="org.apache.coyote.http2.Http2Protocol" /&gt; element inside
  *     a TLS enabled Connector element in server.xml to enable HTTP/2 support.

Modified: tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/SSLHostConfig.java Wed Mar 30 
14:52:41 2016
@@ -83,7 +83,7 @@ public class SSLHostConfig {
     private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
     private LinkedHashSet<Cipher> cipherList = null;
     private List<String> jsseCipherNames = null;
-    private boolean honorCipherOrder = true;
+    private boolean honorCipherOrder = false;
     private Set<String> protocols = new HashSet<>();
     // JSSE
     private String keyManagerAlgorithm = 
KeyManagerFactory.getDefaultAlgorithm();

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 14:52:41 2016
@@ -93,6 +93,12 @@
       <fix>
         Align cipher configuration parsing with current OpenSSL master. (markt)
       </fix>
+      <update>
+        Change the default for <code>honorCipherOrder</code> to
+        <code>false</code>. With the current default TLS configuration, it is 
no
+        longer necessary for this to be <code>true</code> for a reasonably
+        secure configuration. (markt)
+      </update>
     </changelog>
   </subsection>
   <subsection name="WebSocket">

Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1737117&r1=1737116&r2=1737117&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Wed Mar 30 14:52:41 2016
@@ -1111,7 +1111,7 @@
     <attribute name="honorCipherOrder" required="false">
       <p>Set to <code>true</code> to enforce the server's cipher order
       (from the <code>ciphers</code> setting) instead of allowing
-      the client to choose the cipher. The default is <code>true</code>.</p>
+      the client to choose the cipher. The default is <code>false</code>.</p>
     </attribute>
 
     <attribute name="hostName" required="false">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737117 - in /tomcat/trunk: conf/server.xml java/org/apache/coyote/http2/Http2UpgradeHandler.java java/org/apache/tomcat/util/net/SSLHostConfig.java webapps/docs/changelog.xml webapps/docs/config/http.xml

Reply via email to