http.xml

markt Thu, 31 Mar 2016 04:08:29 -0700

Author: markt
Date: Thu Mar 31 11:08:11 2016
New Revision: 1737224

URL: http://svn.apache.org/viewvc?rev=1737224&view=rev
Log:
Default ciphers +="!kRSA"
SSL Labs now reports a A grade for the default TLS config for JSSE and 
APR/native with Jaav 7 and 8.


Modified:
    tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
    tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml

Modified: 
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java 
Thu Mar 31 11:08:11 2016
@@ -53,7 +53,7 @@ public abstract class AbstractEndpoint<S
 
     // -------------------------------------------------------------- Constants
 
-    protected static final String DEFAULT_CIPHERS = 
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5";
+    protected static final String DEFAULT_CIPHERS = 
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
 
     protected static final StringManager sm = 
StringManager.getManager("org.apache.tomcat.util.net.res");
 

Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 11:08:11 2016
@@ -84,6 +84,10 @@
         The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
         which protects against weak Diffie-Hellman keys with Java 8. (markt)
       </add>
+      <update>
+        Exclude ciphers that use RSA keys from the default cipher list since
+        they do not support forward secrecy. (markt)
+      </update>
     </changelog>
   </subsection>
   <subsection name="Tribes">

Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 11:08:11 2016
@@ -1121,7 +1121,9 @@
       of ciphers supported and the syntax). The behaviour of this filtering is
       kept aligned with the behaviour of the OpenSSL 1.0.2 stable branch.</p>
       <p>If not specified, a default (using the OpenSSL notation) of
-      <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> will be used.</p>
+      <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be used
+      when running on Java 8 or later. On Java 7, <code>!DHE</code> will be
+      added to this default when using a JSSE based connector.</p>
       <p>Note that Java does not treat the order in which ciphers are defined 
as
       an order of preference. See <code>useServerCipherSuitesOrder</code>.</p>
     </attribute>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1737224 - in /tomcat/tc8.0.x/trunk: java/org/apache/tomcat/util/net/AbstractEndpoint.java webapps/docs/changelog.xml webapps/docs/config/http.xml

Reply via email to