Author: markt
Date: Wed Mar 30 14:56:10 2016
New Revision: 1737119
URL: http://svn.apache.org/viewvc?rev=1737119&view=rev
Log:
Enable strong DH keys by default
Modified:
tomcat/trunk/bin/catalina.bat
tomcat/trunk/bin/catalina.sh
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/bin/catalina.bat
URL:
http://svn.apache.org/viewvc/tomcat/trunk/bin/catalina.bat?rev=1737119&r1=1737118&r2=1737119&view=diff
==============================================================================
--- tomcat/trunk/bin/catalina.bat (original)
+++ tomcat/trunk/bin/catalina.bat Wed Mar 30 14:56:10 2016
@@ -71,6 +71,10 @@ rem
rem -agentlib:jdwp=transport=%JPDA_TRANSPORT%,
rem
address=%JPDA_ADDRESS%,server=y,suspend=%JPDA_SUSPEND%
rem
+rem JSSE_OPTS (Optional) Java runtime options used to control the TLS
+rem implementation when JSSE is used. Default is:
+rem "-Djdk.tls.ephemeralDHKeySize=2048"
+rem
rem LOGGING_CONFIG (Optional) Override Tomcat's logging config file
rem Example (all one line)
rem set
LOGGING_CONFIG="-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties"
@@ -182,6 +186,11 @@ goto juliClasspathDone
set "CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar"
:juliClasspathDone
+if not "%JSSE_OPTS%" == "" goto gotJsseOpts
+set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+:gotJsseOpts
+set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%"
+
if not "%LOGGING_CONFIG%" == "" goto noJuliConfig
set LOGGING_CONFIG=-Dnop
if not exist "%CATALINA_BASE%\conf\logging.properties" goto noJuliConfig
Modified: tomcat/trunk/bin/catalina.sh
URL:
http://svn.apache.org/viewvc/tomcat/trunk/bin/catalina.sh?rev=1737119&r1=1737118&r2=1737119&view=diff
==============================================================================
--- tomcat/trunk/bin/catalina.sh (original)
+++ tomcat/trunk/bin/catalina.sh Wed Mar 30 14:56:10 2016
@@ -76,6 +76,10 @@
# -agentlib:jdwp=transport=$JPDA_TRANSPORT,
# address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND
#
+# JSSE_OPTS (Optional) Java runtime options used to control the TLS
+# implementation when JSSE is used. Default is:
+# "-Djdk.tls.ephemeralDHKeySize=2048"
+#
# CATALINA_PID (Optional) Path of the file which should contains the pid
# of the catalina startup java process, when start (fork) is
# used
@@ -224,6 +228,11 @@ if $cygwin; then
CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
fi
+if [ -z "$JSSE_OPTS" ] ; then
+ JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+fi
+JAVA_OPTS="$JAVA_OPTS $JSSE_OPTS"
+
# Set juli LogManager config file if it is present and an override has not
been issued
if [ -z "$LOGGING_CONFIG" ]; then
if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1737119&r1=1737118&r2=1737119&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Mar 30 14:56:10 2016
@@ -99,6 +99,12 @@
longer necessary for this to be <code>true</code> for a reasonably
secure configuration. (markt)
</update>
+ <add>
+ Add a new environment variable <code>JSSE_OPTS</code> that is intended
+ to be used to pass JVM wide configuration to the JSSE implementation.
+ The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
+ which protects against weak Diffie-Hellman keys. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
