svn commit: r1737199 - in /tomcat/tc8.5.x/trunk: ./ bin/catalina.bat bin/catalina.sh webapps/docs/changelog.xml

Thu, 31 Mar 2016 01:54:50 -0700 

Author: markt
Date: Thu Mar 31 08:54:13 2016
New Revision: 1737199

URL: http://svn.apache.org/viewvc?rev=1737199&view=rev
Log:
Enable strong DH keys by default

Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    tomcat/tc8.5.x/trunk/bin/catalina.bat
    tomcat/tc8.5.x/trunk/bin/catalina.sh
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Mar 31 08:54:13 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119

Modified: tomcat/tc8.5.x/trunk/bin/catalina.bat
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/bin/catalina.bat?rev=1737199&r1=1737198&r2=1737199&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/bin/catalina.bat (original)
+++ tomcat/tc8.5.x/trunk/bin/catalina.bat Thu Mar 31 08:54:13 2016
@@ -71,6 +71,10 @@ rem
 rem                   -agentlib:jdwp=transport=%JPDA_TRANSPORT%,
 rem                       
address=%JPDA_ADDRESS%,server=y,suspend=%JPDA_SUSPEND%
 rem
+rem   JSSE_OPTS       (Optional) Java runtime options used to control the TLS
+rem                   implementation when JSSE is used. Default is:
+rem                   "-Djdk.tls.ephemeralDHKeySize=2048"
+rem
 rem   LOGGING_CONFIG  (Optional) Override Tomcat's logging config file
 rem                   Example (all one line)
 rem                   set 
LOGGING_CONFIG="-Djava.util.logging.config.file=%CATALINA_BASE%\conf\logging.properties"
@@ -182,6 +186,11 @@ goto juliClasspathDone
 set "CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar"
 :juliClasspathDone
 
+if not "%JSSE_OPTS%" == "" goto gotJsseOpts
+set JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+:gotJsseOpts
+set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%"
+
 if not "%LOGGING_CONFIG%" == "" goto noJuliConfig
 set LOGGING_CONFIG=-Dnop
 if not exist "%CATALINA_BASE%\conf\logging.properties" goto noJuliConfig

Modified: tomcat/tc8.5.x/trunk/bin/catalina.sh
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/bin/catalina.sh?rev=1737199&r1=1737198&r2=1737199&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/bin/catalina.sh (original)
+++ tomcat/tc8.5.x/trunk/bin/catalina.sh Thu Mar 31 08:54:13 2016
@@ -76,6 +76,10 @@
 #                   -agentlib:jdwp=transport=$JPDA_TRANSPORT,
 #                       address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND
 #
+#   JSSE_OPTS       (Optional) Java runtime options used to control the TLS
+#                   implementation when JSSE is used. Default is:
+#                   "-Djdk.tls.ephemeralDHKeySize=2048"
+#
 #   CATALINA_PID    (Optional) Path of the file which should contains the pid
 #                   of the catalina startup java process, when start (fork) is
 #                   used
@@ -224,6 +228,11 @@ if $cygwin; then
   CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
 fi
 
+if [ -z "$JSSE_OPTS" ] ; then
+  JSSE_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
+fi
+JAVA_OPTS="$JAVA_OPTS $JSSE_OPTS"
+
 # Set juli LogManager config file if it is present and an override has not 
been issued
 if [ -z "$LOGGING_CONFIG" ]; then
   if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1737199&r1=1737198&r2=1737199&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Thu Mar 31 08:54:13 2016
@@ -87,6 +87,12 @@
         longer necessary for this to be <code>true</code> for a reasonably
         secure configuration. (markt)
       </update>
+      <add>
+        Add a new environment variable <code>JSSE_OPTS</code> that is intended
+        to be used to pass JVM wide configuration to the JSSE implementation.
+        The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
+        which protects against weak Diffie-Hellman keys. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="WebSocket">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to