On Thu, Mar 17, 2022 at 3:01 PM <r...@apache.org> wrote: > > This is an automated email from the ASF dual-hosted git repository. > > remm pushed a commit to branch 10.0.x > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/10.0.x by this push: > new 73bf00c Use a constant for the cipher suite > 73bf00c is described below > > commit 73bf00ca008b53dae8e95f75a8cdc0dd36c1fe2e > Author: remm <r...@apache.org> > AuthorDate: Thu Mar 17 14:56:44 2022 +0100 > > Use a constant for the cipher suite > > This will allow skipping setting it when it is known to be useless > (example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
Oops, cherry picking this and pushing gives: remote: Internal Server Error To github.com:apache/tomcat.git ! [remote rejected] 9.0.x -> 9.0.x (Internal Server Error) error: failed to push some refs to 'github.com:apache/tomcat.git' Sounds scary ... Rémy > --- > java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++- > webapps/docs/changelog.xml | 9 +++++++++ > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java > b/java/org/apache/tomcat/util/net/SSLHostConfig.java > index 2c1c0c3..af60ecc 100644 > --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java > +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java > @@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable { > // keys in Maps. > protected static final String DEFAULT_SSL_HOST_NAME = "_default_"; > protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>(); > + public static final String DEFAULT_TLS_CIPHERS = > "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; > > static { > /* Default used if protocols are not configured, also used if > @@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable { > private int certificateVerificationDepth = 10; > // Used to track if certificateVerificationDepth has been explicitly set > private boolean certificateVerificationDepthConfigured = false; > - private String ciphers = > "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; > + private String ciphers = DEFAULT_TLS_CIPHERS; > private LinkedHashSet<Cipher> cipherList = null; > private List<String> jsseCipherNames = null; > private boolean honorCipherOrder = false; > diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml > index 34f2c8f..67f8bcb 100644 > --- a/webapps/docs/changelog.xml > +++ b/webapps/docs/changelog.xml > @@ -131,6 +131,15 @@ > </fix> > </changelog> > </subsection> > + <subsection name="Coyote"> > + <changelog> > + <fix> > + Use a constant for the default TLS cipher suite. This will allow > + skipping setting it in some cases (for example, it does not make > + sense for OpenSSL TLS 1.3). (remm) > + </fix> > + </changelog> > + </subsection> > <subsection name="Other"> > <changelog> > <fix> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org