Author: remm
Date: Fri Jul 11 11:16:13 2014
New Revision: 1609689
URL: http://svn.apache.org/r1609689
Log:
Add a system property for cipher configuration. Add a "simple but safe" default
cipher suite in catalina.properties. More complex cipher suites that have been
proposed are either not as safe (weak ciphers present) or not very compatible
according to my testing (OpenJDK has trouble, but the Oracle JVM fares better).
Modified:
tomcat/trunk/conf/catalina.properties
tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/conf/catalina.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.properties?rev=1609689&r1=1609688&r2=1609689&view=diff
==============================================================================
--- tomcat/trunk/conf/catalina.properties (original)
+++ tomcat/trunk/conf/catalina.properties Fri Jul 11 11:16:13 2014
@@ -126,6 +126,11 @@ xom-*.jar
# scan types by configuring a JarScanner with a nested JarScanFilter.
tomcat.util.scan.StandardJarScanFilter.jarsToScan=log4j-core*.jar,log4j-taglib*.jar
+# Default SSL cipher suite
+# Other OpenSSL syntax cipher suites that can be used in Tomcat:
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+tomcat.ssl.ciphers=HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5
+
# String cache configuration.
tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java?rev=1609689&r1=1609688&r2=1609689&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AbstractEndpoint.java Fri Jul
11 11:16:13 2014
@@ -919,7 +919,7 @@ public abstract class AbstractEndpoint<S
public String getSslProtocol() { return sslProtocol;}
public void setSslProtocol(String s) { sslProtocol = s;}
- private String ciphers = null;
+ private String ciphers = System.getProperty("tomcat.ssl.ciphers");
public String getCiphers() { return ciphers;}
public void setCiphers(String s) {
ciphers = s;
@@ -1005,7 +1005,7 @@ public abstract class AbstractEndpoint<S
}
- private String[] sslEnabledProtocolsarr = new String[0];
+ private String[] sslEnabledProtocolsarr = new String[0];
public String[] getSslEnabledProtocolsArray() {
return this.sslEnabledProtocolsarr;
}
Modified: tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java?rev=1609689&r1=1609688&r2=1609689&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java (original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/AprEndpoint.java Fri Jul 11
11:16:13 2014
@@ -218,7 +218,7 @@ public class AprEndpoint extends Abstrac
/**
* SSL cipher suite.
*/
- protected String SSLCipherSuite = "ALL";
+ protected String SSLCipherSuite = System.getProperty("tomcat.ssl.ciphers",
"ALL");
public String getSSLCipherSuite() { return SSLCipherSuite; }
public void setSSLCipherSuite(String SSLCipherSuite) { this.SSLCipherSuite
= SSLCipherSuite; }
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1609689&r1=1609688&r2=1609689&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
(original)
+++ tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Fri Jul 11 11:16:13 2014
@@ -124,7 +124,7 @@ public class JSSESocketFactory implement
// can be achieved via the standard API but there is no guarantee
// that every JVM implementation determines the defaults the same
// way. Therefore the defaults are determined by creating a server
- // socket and requested the configured values.
+ // socket and requesting the configured values.
SSLServerSocket socket = (SSLServerSocket)
ssf.createServerSocket();
ciphers = socket.getEnabledCipherSuites();
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1609689&r1=1609688&r2=1609689&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Jul 11 11:16:13 2014
@@ -65,6 +65,12 @@
The complete fix is only available with a recent AJP forwarder like
the forthcoming mod_jk 1.2.41. (rjung)
</fix>
+ <fix>
+ Add new <code>tomcat.ssl.ciphers</code> system property to define
+ default ciphers, and add it in <code>conf/catalina.properties</code>
+ defined as <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5</code> so
+ that no weak ciphers are enabled by default. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1609689&r1=1609688&r2=1609689&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Fri Jul 11 11:16:13 2014
@@ -1078,15 +1078,20 @@
</attribute>
<attribute name="ciphers" required="false">
- <p>The comma separated list of encryption ciphers to support for HTTPS
- connections. If specified, only the ciphers that are listed and supported
- by the SSL implementation will be used. By default, the default ciphers
- for the JVM will be used. Note that this usually means that the weak
- export grade ciphers will be included in the list of available ciphers.
+ <p>If specified and using ',' as a separator, only the ciphers that are
+ listed and supported by the SSL implementation will be used.
The ciphers are specified using the JSSE cipher naming convention. The
special value of <code>ALL</code> will enable all supported ciphers. This
will include many that are not secure. <code>ALL</code> is intended for
testing purposes only.</p>
+ <p>The list can also use ':' as a separator, in that case
+ it will use the OpenSSL syntax (see OpenSSL documentation for the list
+ of ciphers supported and the syntax).</p>
+ <p>The default cipher suite can be set using the
+ <code>tomcat.ssl.ciphers</code> system property.</p>
+ <p>If not specified, the default ciphers
+ for the JVM will be used. Note that this usually means that the weak
+ export grade ciphers will be included in the list of available
ciphers.</p>
</attribute>
<attribute name="clientAuth" required="false">
@@ -1339,7 +1344,9 @@
</attribute>
<attribute name="SSLCipherSuite" required="false">
- <p>Ciphers which may be used for communicating with clients. The default
+ <p>Ciphers which may be used for communicating with clients.
+ The default cipher suite can be set using the
+ <code>tomcat.ssl.ciphers</code> system property. The default
is "ALL", with other acceptable values being a list of ciphers, with ":"
used as the delimiter (see OpenSSL documentation for the list of ciphers
supported).</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
