Author: markt
Date: Thu Mar 31 09:57:37 2016
New Revision: 1737212
URL: http://svn.apache.org/viewvc?rev=1737212&view=rev
Log:
Exclude weak DH keys for JSSE when running on Java 7.
This improves the SSL Labs score for the default config to A-.
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/JIoEndpoint.java Thu
Mar 31 09:57:37 2016
@@ -27,6 +27,7 @@ import java.util.concurrent.RejectedExec
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.jsse.JSSESocketFactory;
@@ -71,6 +72,11 @@ public class JIoEndpoint extends Abstrac
// Reduce the executor timeout for BIO as threads in keep-alive will
not
// terminate when the executor interrupts them.
setExecutorTerminationTimeoutMillis(0);
+ // If running on Java 7, the insecure DHE ciphers need to be excluded
by
+ // default
+ if (!JreCompat.isJre8Available()) {
+ setCiphers(DEFAULT_CIPHERS + ":!DHE");
+ }
}
// ------------------------------------------------------------- Properties
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/Nio2Endpoint.java Thu
Mar 31 09:57:37 2016
@@ -46,6 +46,7 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.SecureNio2Channel.ApplicationBufferHandler;
import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
@@ -120,9 +121,19 @@ public class Nio2Endpoint extends Abstra
private SynchronizedStack<Nio2Channel> nioChannels;
- // ------------------------------------------------------------- Properties
+ // ------------------------------------------------------------ Constructor
+
+ public Nio2Endpoint() {
+ // If running on Java 7, the insecure DHE ciphers need to be excluded
by
+ // default
+ if (!JreCompat.isJre8Available()) {
+ setCiphers(DEFAULT_CIPHERS + ":!DHE");
+ }
+ }
+ // ------------------------------------------------------------- Properties
+
/**
* Use the object caches to reduce GC at the expense of additional memory
use.
*/
Modified: tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java Thu
Mar 31 09:57:37 2016
@@ -55,6 +55,7 @@ import org.apache.tomcat.util.ExceptionU
import org.apache.tomcat.util.IntrospectionUtils;
import org.apache.tomcat.util.collections.SynchronizedQueue;
import org.apache.tomcat.util.collections.SynchronizedStack;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.SecureNioChannel.ApplicationBufferHandler;
import org.apache.tomcat.util.net.jsse.NioX509KeyManager;
@@ -143,9 +144,19 @@ public class NioEndpoint extends Abstrac
private SynchronizedStack<NioChannel> nioChannels;
- // ------------------------------------------------------------- Properties
+ // ------------------------------------------------------------ Constructor
+
+ public NioEndpoint() {
+ // If running on Java 7, the insecure DHE ciphers need to be excluded
by
+ // default
+ if (!JreCompat.isJre8Available()) {
+ setCiphers(DEFAULT_CIPHERS + ":!DHE");
+ }
+ }
+ // ------------------------------------------------------------- Properties
+
/**
* Generic properties, introspected
*/
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737212&r1=1737211&r2=1737212&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 09:57:37 2016
@@ -71,6 +71,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Coyote">
+ <changelog>
+ <fix>
+ When running on Java 7, exclude DHE ciphers from the default cipher
list
+ for JSSE connectors since they use weak 768 bit DH keys and cannot be
+ configured to use more secure keys. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Tribes">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
