Mark, On 8/10/15 11:20 AM, [email protected] wrote: > Author: markt > Date: Mon Aug 10 15:20:34 2015 > New Revision: 1695111 > > URL: http://svn.apache.org/r1695111 > Log: > Fix DEFAULT > > Modified: > > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java > > Modified: > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java > URL: > http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1695111&r1=1695110&r2=1695111&view=diff > ============================================================================== > --- > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java > (original) > +++ > tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java > Mon Aug 10 15:20:34 2015 > @@ -485,13 +485,12 @@ public class OpenSSLCipherConfigurationP > addListAlias(SRP, filterByKeyExchange(allCiphers, > Collections.singleton(KeyExchange.SRP))); > initialized = true; > // Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2 > - addListAlias(DEFAULT, parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2")); > + addListAlias(DEFAULT, parse("ALL:!eNULL:!aNULL:!SSLv2"));
Do I misunderstand the above? Have you added EXPORT ciphers back into the DEFAULT ciphers? That really should not be the default. Recent versions of OpenSSL don't include EXPORT in the "ALL" (I think) unless specifically requested, but older versions still include them, so we ought to be very careful and explicitly exclude them. -chris
signature.asc
Description: OpenPGP digital signature
