This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 1c74eaa125 Update default encryptionAlgorithm to "AES/GCM/NoPadding"
1c74eaa125 is described below

commit 1c74eaa1253b9ab620425fb5a20479717bfc5630
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jul 7 12:04:25 2026 +0100

    Update default encryptionAlgorithm to "AES/GCM/NoPadding"
---
 .../catalina/tribes/group/interceptors/EncryptInterceptor.java   | 5 ++---
 webapps/docs/changelog.xml                                       | 9 +++++++++
 webapps/docs/config/cluster-interceptor.xml                      | 5 ++---
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git 
a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java 
b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
index eabc8313da..d2f13de1f6 100644
--- a/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
+++ b/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
@@ -61,7 +61,7 @@ public class EncryptInterceptor extends 
ChannelInterceptorBase implements Encryp
      */
     protected static final StringManager sm = 
StringManager.getManager(EncryptInterceptor.class);
 
-    private static final String DEFAULT_ENCRYPTION_ALGORITHM = 
"AES/CBC/PKCS5Padding";
+    private static final String DEFAULT_ENCRYPTION_ALGORITHM = 
"AES/GCM/NoPadding";
 
     private String providerName;
     private String encryptionAlgorithm = DEFAULT_ENCRYPTION_ALGORITHM;
@@ -185,8 +185,7 @@ public class EncryptInterceptor extends 
ChannelInterceptorBase implements Encryp
      * Sets the encryption algorithm to be used for encrypting and decrypting 
channel messages. You must specify the
      * <code>algorithm/mode/padding</code>. Information on standard algorithm 
names may be found in the
      * <a 
href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html";>Java
-     * documentation</a>. Default is <code>AES/CBC/PKCS5Padding</code> for 
backwards compatibility but it is recommended
-     * that <code>AES/GCM/NoPadding</code> is used.
+     * documentation</a>. Default is <code>AES/GCM/NoPadding</code>.
      *
      * @param algorithm The algorithm to use.
      */
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d00963b2f5..061073e30e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -124,6 +124,15 @@
       </update>
     </changelog>
   </subsection>
+  <subsection name="Cluster">
+    <changelog>
+      <add>
+        Change the default <code>encryptionAlgorithm</code> for the
+        <code>EncryptInterceptor</code> to <code>AES/GCM/NoPadding</code>. This
+        is a breaking change for the <code>EncryptInterceptor</code>. (markt)
+      </add>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 10.1.57 (schultz)" rtext="release in progress">
   <subsection name="Catalina">
diff --git a/webapps/docs/config/cluster-interceptor.xml 
b/webapps/docs/config/cluster-interceptor.xml
index 16695586c0..e5834d3958 100644
--- a/webapps/docs/config/cluster-interceptor.xml
+++ b/webapps/docs/config/cluster-interceptor.xml
@@ -260,9 +260,8 @@
        <p>The length of the key will specify the flavor of the encryption
        algorithm to be used, if applicable (e.g. AES-128 versus AES-256).</p>
 
-       <p>The default algorithm is <code>AES/CBC/PKCS5Padding</code> for
-       backwards compatability but it is recommended that
-       <code>AES/GCM/NoPadding</code> is used.</p>
+       <p>If not specified, the default algorithm is
+       <code>AES/GCM/NoPadding</code>.</p>
      </attribute>
      <attribute name="encryptionKey" required="true">
        <p>The key to be used with the encryption algorithm.</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to