(tomcat) branch 11.0.x updated: Respect the configured cipher order

remm Fri, 20 Feb 2026 07:57:35 -0800

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/11.0.x by this push:
     new 5cfa876d73 Respect the configured cipher order
5cfa876d73 is described below

commit 5cfa876d73f1ff5f4dc8309c4320f684cbeff74e
Author: remm <[email protected]>
AuthorDate: Fri Feb 20 16:50:13 2026 +0100

    Respect the configured cipher order
    
    It was no longer respected following the addition of TLS 1.3 specific
    cipher configuration.
    TLS 1.3 ciphers will always be first in the list.
---
 java/org/apache/tomcat/util/net/SSLHostConfig.java | 4 ++--
 webapps/docs/changelog.xml                         | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 7fb699d849..b0d11707fa 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -466,13 +466,13 @@ public class SSLHostConfig implements Serializable {
 
     /**
      * Obtain the list of JSSE cipher names for the current configuration. 
Ciphers included in the configuration but not
-     * supported by JSSE will be excluded from this list.
+     * supported by JSSE will be excluded from this list. TLS 1.3 ciphers will 
be first in the list.
      *
      * @return A list of the JSSE cipher names
      */
     public List<String> getJsseCipherNames() {
         if (jsseCipherNames == null) {
-            Set<Cipher> jsseCiphers = new HashSet<>();
+            Set<Cipher> jsseCiphers = new LinkedHashSet<>();
             jsseCiphers.addAll(getCipherSuiteList());
             jsseCiphers.addAll(getCipherList());
             jsseCipherNames = 
OpenSSLCipherConfigurationParser.convertForJSSE(jsseCiphers);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c314d9a88e..c55a5adf3b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -148,6 +148,11 @@
         property as the default value for the configured group list on the
         Connector. (remm)
       </fix>
+      <fix>
+        Respect the configured cipher order, which was no longer respected
+        following the addition of TLS 1.3 specific cipher configuration.
+        TLS 1.3 ciphers will always be first in the list. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 11.0.x updated: Respect the configured cipher order

Reply via email to