Author: markt
Date: Thu Mar 31 11:08:11 2016
New Revision: 1737224
URL: http://svn.apache.org/viewvc?rev=1737224&view=rev
Log:
Default ciphers +="!kRSA"
SSL Labs now reports a A grade for the default TLS config for JSSE and
APR/native with Jaav 7 and 8.
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
Modified:
tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/tc8.0.x/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
Thu Mar 31 11:08:11 2016
@@ -53,7 +53,7 @@ public abstract class AbstractEndpoint<S
// -------------------------------------------------------------- Constants
- protected static final String DEFAULT_CIPHERS =
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5";
+ protected static final String DEFAULT_CIPHERS =
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
protected static final StringManager sm =
StringManager.getManager("org.apache.tomcat.util.net.res");
Modified: tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/changelog.xml Thu Mar 31 11:08:11 2016
@@ -84,6 +84,10 @@
The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
which protects against weak Diffie-Hellman keys with Java 8. (markt)
</add>
+ <update>
+ Exclude ciphers that use RSA keys from the default cipher list since
+ they do not support forward secrecy. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Tribes">
Modified: tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml?rev=1737224&r1=1737223&r2=1737224&view=diff
==============================================================================
--- tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.0.x/trunk/webapps/docs/config/http.xml Thu Mar 31 11:08:11 2016
@@ -1121,7 +1121,9 @@
of ciphers supported and the syntax). The behaviour of this filtering is
kept aligned with the behaviour of the OpenSSL 1.0.2 stable branch.</p>
<p>If not specified, a default (using the OpenSSL notation) of
- <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> will be used.</p>
+ <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be used
+ when running on Java 8 or later. On Java 7, <code>!DHE</code> will be
+ added to this default when using a JSSE based connector.</p>
<p>Note that Java does not treat the order in which ciphers are defined
as
an order of preference. See <code>useServerCipherSuitesOrder</code>.</p>
</attribute>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
