Index: java/org/apache/tomcat/util/net/AbstractEndpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/AbstractEndpoint.java (revision 1655482)
+++ java/org/apache/tomcat/util/net/AbstractEndpoint.java (working copy)
@@ -31,6 +31,8 @@
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
import org.apache.juli.logging.Log;
import org.apache.tomcat.util.IntrospectionUtils;
@@ -956,6 +958,10 @@
*/
public abstract String[] getCiphersUsed();
+ private String useServerCipherSuitesOrder = "false";
+ public String getUseServerCipherSuitesOrder() { return useServerCipherSuitesOrder;}
+ public void setUseServerCipherSuitesOrder(String s) { this.useServerCipherSuitesOrder = s;}
+
private String keyAlias = null;
public String getKeyAlias() { return keyAlias;}
public void setKeyAlias(String s ) { keyAlias = s;}
@@ -1057,7 +1063,23 @@
protected final Set> waitingRequests = Collections
.newSetFromMap(new ConcurrentHashMap, Boolean>());
+ /**
+ * Configures SSL engine to honor cipher suites order.
+ */
+ protected void configureUseServerCipherSuitesOrder(SSLEngine engine) {
+ String useServerCipherSuitesOrderStr = this
+ .getUseServerCipherSuitesOrder().trim();
+
+ SSLParameters sslParameters = engine.getSSLParameters();
+ boolean useServerCipherSuitesOrder =
+ ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
+ || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
+
+ sslParameters.setUseCipherSuitesOrder(useServerCipherSuitesOrder);
+ engine.setSSLParameters(sslParameters);
+ }
+
/**
* The async timeout thread.
*/
Index: java/org/apache/tomcat/util/net/Nio2Endpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/Nio2Endpoint.java (revision 1655482)
+++ java/org/apache/tomcat/util/net/Nio2Endpoint.java (working copy)
@@ -530,6 +530,8 @@
engine.setEnabledCipherSuites(enabledCiphers);
engine.setEnabledProtocols(enabledProtocols);
+ configureUseServerCipherSuitesOrder(engine);
+
handler.onCreateSSLEngine(engine);
return engine;
}
Index: java/org/apache/tomcat/util/net/NioEndpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/NioEndpoint.java (revision 1655482)
+++ java/org/apache/tomcat/util/net/NioEndpoint.java (working copy)
@@ -560,6 +560,8 @@
engine.setEnabledCipherSuites(enabledCiphers);
engine.setEnabledProtocols(enabledProtocols);
+ configureUseServerCipherSuitesOrder(engine);
+
handler.onCreateSSLEngine(engine);
return engine;
}
Index: webapps/docs/config/http.xml
===================================================================
--- webapps/docs/config/http.xml (revision 1655482)
+++ webapps/docs/config/http.xml (working copy)
@@ -1032,6 +1032,13 @@
+
+ Set to true
to enforce the server's cipher order
+ (from the ciphers
setting) instead of allowing
+ the client to choose the cipher (which is the default).
+
+
+
If specified and using ',' as a separator, only the ciphers that are
listed and supported by the SSL implementation will be used.