This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new db0cb0aad6 Refactor default cipher lists
db0cb0aad6 is described below
commit db0cb0aad609f2b4720593291bd5c196c4f38d9e
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Dec 19 12:50:26 2025 +0000
Refactor default cipher lists
---
java/org/apache/tomcat/util/net/SSLHostConfig.java | 11 ++++++++---
java/org/apache/tomcat/util/net/SSLUtilBase.java | 2 +-
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 710f7d3409..1ab4233439 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -59,9 +59,14 @@ public class SSLHostConfig implements Serializable {
// keys in Maps.
protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
- protected static final String DEFAULT_TLS_12_BELOW_CIPHERS =
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
- protected static final String DEFAULT_TLS_13_ABOVE_CIPHERS =
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
- public static final String DEFAULT_TLS_CIPHERS =
DEFAULT_TLS_12_BELOW_CIPHERS + ":" + DEFAULT_TLS_13_ABOVE_CIPHERS;
+ public static final String DEFAULT_TLS_CIPHERS_12 =
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+ public static final String DEFAULT_TLS_CIPHERS_13 =
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+ /**
+ * Default cipher list for TLS 1.2 and below.
+ * @deprecated Replaced by {@link #DEFAULT_TLS_CIPHERS_12}
+ */
+ @Deprecated
+ public static final String DEFAULT_TLS_CIPHERS = DEFAULT_TLS_CIPHERS_12;
static {
/*
diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
b/java/org/apache/tomcat/util/net/SSLUtilBase.java
index a592b27532..ed85d4ab19 100644
--- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
+++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
@@ -128,7 +128,7 @@ public abstract class SSLUtilBase implements SSLUtil {
// OpenSSL profiles cannot be resolved without Java 22
this.enabledCiphers = new String[0];
} else {
- boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
+ boolean warnOnSkip =
!sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS_12);
List<String> configuredCiphers =
sslHostConfig.getJsseCipherNames();
Set<String> implementedCiphers = getImplementedCiphers();
List<String> enabledCiphers =
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
