(tomcat) branch 9.0.x updated: Respect the configured cipher order

remm Fri, 20 Feb 2026 07:57:03 -0800

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 6db238562e Respect the configured cipher order
6db238562e is described below

commit 6db238562ec36ab1106db4d04843f8b33e7a0c06
Author: remm <[email protected]>
AuthorDate: Fri Feb 20 16:50:13 2026 +0100

    Respect the configured cipher order
    
    It was no longer respected following the addition of TLS 1.3 specific
    cipher configuration.
    TLS 1.3 ciphers will always be first in the list.
---
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 4 ++--
 webapps/docs/changelog.xml                         | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 8a39a6ecb8..6ccf4f6ff1 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -521,13 +521,13 @@ public class SSLHostConfig implements Serializable {
 
     /**
      * Obtain the list of JSSE cipher names for the current configuration. 
Ciphers included in the configuration but not
-     * supported by JSSE will be excluded from this list.
+     * supported by JSSE will be excluded from this list. TLS 1.3 ciphers will 
be first in the list.
      *
      * @return A list of the JSSE cipher names
      */
     public List<String> getJsseCipherNames() {
         if (jsseCipherNames == null) {
-            Set<Cipher> jsseCiphers = new HashSet<>();
+            Set<Cipher> jsseCiphers = new LinkedHashSet<>();
             jsseCiphers.addAll(getCipherSuiteList());
             jsseCiphers.addAll(getCipherList());
             jsseCipherNames = 
OpenSSLCipherConfigurationParser.convertForJSSE(jsseCiphers);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8d239dcfff..b70507bc07 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -152,6 +152,11 @@
         property as the default value for the configured group list on the
         Connector. (remm)
       </fix>
+      <fix>
+        Respect the configured cipher order, which was no longer respected
+        following the addition of TLS 1.3 specific cipher configuration.
+        TLS 1.3 ciphers will always be first in the list. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 9.0.x updated: Respect the configured cipher order

Reply via email to