On Thu, Mar 17, 2022 at 3:01 PM <r...@apache.org> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> remm pushed a commit to branch 10.0.x
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/10.0.x by this push:
> new 73bf00c Use a constant for the cipher suite
> 73bf00c is described below
>
> commit 73bf00ca008b53dae8e95f75a8cdc0dd36c1fe2e
> Author: remm <r...@apache.org>
> AuthorDate: Thu Mar 17 14:56:44 2022 +0100
>
> Use a constant for the cipher suite
>
> This will allow skipping setting it when it is known to be useless
> (example: OpenSSL TLS 1.3, where it is best to leave the impl defaults).
Oops, cherry picking this and pushing gives:
remote: Internal Server Error
To github.com:apache/tomcat.git
! [remote rejected] 9.0.x -> 9.0.x (Internal Server Error)
error: failed to push some refs to 'github.com:apache/tomcat.git'
Sounds scary ...
Rémy
> ---
> java/org/apache/tomcat/util/net/SSLHostConfig.java | 3 ++-
> webapps/docs/changelog.xml | 9 +++++++++
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java
> b/java/org/apache/tomcat/util/net/SSLHostConfig.java
> index 2c1c0c3..af60ecc 100644
> --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
> +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
> @@ -54,6 +54,7 @@ public class SSLHostConfig implements Serializable {
> // keys in Maps.
> protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
> protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
> + public static final String DEFAULT_TLS_CIPHERS =
> "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
>
> static {
> /* Default used if protocols are not configured, also used if
> @@ -95,7 +96,7 @@ public class SSLHostConfig implements Serializable {
> private int certificateVerificationDepth = 10;
> // Used to track if certificateVerificationDepth has been explicitly set
> private boolean certificateVerificationDepthConfigured = false;
> - private String ciphers =
> "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
> + private String ciphers = DEFAULT_TLS_CIPHERS;
> private LinkedHashSet<Cipher> cipherList = null;
> private List<String> jsseCipherNames = null;
> private boolean honorCipherOrder = false;
> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
> index 34f2c8f..67f8bcb 100644
> --- a/webapps/docs/changelog.xml
> +++ b/webapps/docs/changelog.xml
> @@ -131,6 +131,15 @@
> </fix>
> </changelog>
> </subsection>
> + <subsection name="Coyote">
> + <changelog>
> + <fix>
> + Use a constant for the default TLS cipher suite. This will allow
> + skipping setting it in some cases (for example, it does not make
> + sense for OpenSSL TLS 1.3). (remm)
> + </fix>
> + </changelog>
> + </subsection>
> <subsection name="Other">
> <changelog>
> <fix>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
