This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 4a7526db91f7d2f112f6b44f7c51082496ab8273 Author: Mark Thomas <[email protected]> AuthorDate: Fri Dec 12 10:25:22 2025 +0000 Will need to include TLS 1.3 ciphers in defaults with native changes --- java/org/apache/tomcat/util/net/SSLHostConfig.java | 4 +++- webapps/docs/config/http.xml | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java index 67d1d2c09c..3cbd1a53d1 100644 --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java @@ -57,7 +57,9 @@ public class SSLHostConfig implements Serializable { // keys in Maps. protected static final String DEFAULT_SSL_HOST_NAME = "_default_"; protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>(); - public static final String DEFAULT_TLS_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; + private static final String DEFAULT_TLS_12_BELOW_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; + private static final String DEFAULT_TLS_13_ABOVE_CIPHERS = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; + public static final String DEFAULT_TLS_CIPHERS = DEFAULT_TLS_12_BELOW_CIPHERS + ":" + DEFAULT_TLS_13_ABOVE_CIPHERS; static { /* diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml index ecd3c55b79..ea4e4dc0e7 100644 --- a/webapps/docs/config/http.xml +++ b/webapps/docs/config/http.xml @@ -1368,8 +1368,8 @@ avoided by providing an explicit list of ciphers that are supported by the configured SSL implementation.</p> <p>If not specified, a default (using the OpenSSL notation) of - <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA</code> will be - used.</p> + <code>HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</code> + will be used.</p> <p>Note that, by default, the order in which ciphers are defined is treated as an order of preference. See <code>honorCipherOrder</code>.</p> </attribute> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
