Bug 493794 - Amend the default tomcat-server.xml configuration to meet the recommendation from OWASP
diff --git a/tomcat-server/src/main/dist/configuration/tomcat-server.xml b/tomcat-server/src/main/dist/configuration/tomcat-server.xml
index 6227660..8bb7fd8 100644
--- a/tomcat-server/src/main/dist/configuration/tomcat-server.xml
+++ b/tomcat-server/src/main/dist/configuration/tomcat-server.xml
@@ -15,7 +15,7 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<Server>
+<Server port="-1">
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
@@ -24,18 +24,31 @@
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<Listener className="org.eclipse.virgo.web.tomcat.support.ServerLifecycleLoggingListener"/>
+ <Listener className="org.apache.catalina.security.SecurityListener" />
<Service name="Catalina">
- <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"
+ <Connector address="127.0.0.1" port="8080"
+ protocol="org.apache.coyote.http11.Http11Nio2Protocol"
server="" connectionTimeout="20000" enableLookups="false" redirectPort="8443" />
- <Connector address="0.0.0.0" port="8443" protocol="HTTP/1.1"
- server="" maxThreads="150"
+ <Connector address="0.0.0.0" port="8443"
+ protocol="org.apache.coyote.http11.Http11Nio2Protocol"
+ sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" scheme="https" secure="true"
- sslEnabledProtocols="TLSv1.2"
- clientAuth="false" enableLookups="false"
- keystoreFile="configuration/keystore"
- keystorePass="changeit"/>
+ enableLookups="false" maxThreads="150" server="">
+
+ <SSLHostConfig hostName="_default_"
+ protocols="TLSv1.2" sslProtocol="TLSv1.2"
+ honorCipherOrder="true"
+ ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:HIGH:MEDIUM:!RC4:!3DES:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP"
+ certificateVerification="none">
+ <Certificate type="RSA"
+ certificateKeystoreFile="configuration/keystore"
+ certificateKeystorePassword="changeit"
+ certificateKeystoreType="JKS"/>
+ </SSLHostConfig>
+
+ </Connector>
<!--
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" enableLookups="false" />
@@ -53,7 +66,8 @@
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="serviceability/logs/access"
- prefix="localhost_access_log." suffix=".txt" pattern="common"/>
+ prefix="localhost_access" suffix=".log"
+ pattern="%t %h %u %H %m %U %s %D %b"/>
<Valve className="org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve"/>
</Host>