commit 362f487bcfc5334cbd6012a5bb0c2835084a2779
author Daniel Marthaler <dmarthaler@gmx.net> Wed Feb 01 13:00:43 2017 +0100
committer Daniel Marthaler <dmarthaler@gmx.net> Wed Feb 01 13:00:43 2017 +0100
tree 0bd34192b1c8de0277dfab79322ba3e5bab938b4
parent 44f3a3c786a924b165079725404a391a6df67aca

Bug 493794 - Amend the default tomcat-server.xml configuration to meet the recommendation from OWASP

tomcat-server/src/main/dist/configuration/tomcat-server.xml

diff --git a/tomcat-server/src/main/dist/configuration/tomcat-server.xml b/tomcat-server/src/main/dist/configuration/tomcat-server.xml
index 6227660..8bb7fd8 100644
--- a/tomcat-server/src/main/dist/configuration/tomcat-server.xml
+++ b/tomcat-server/src/main/dist/configuration/tomcat-server.xml
@@ -15,7 +15,7 @@
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
-<Server>
+<Server port="-1">
   <!--APR library loader. Documentation at /docs/apr.html -->
   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
   <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
@@ -24,18 +24,31 @@
   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
   <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
   <Listener className="org.eclipse.virgo.web.tomcat.support.ServerLifecycleLoggingListener"/>
+  <Listener className="org.apache.catalina.security.SecurityListener" />
 
   <Service name="Catalina">
-    <Connector address="127.0.0.1" port="8080" protocol="HTTP/1.1"
+    <Connector address="127.0.0.1" port="8080" 
+               protocol="org.apache.coyote.http11.Http11Nio2Protocol"
                server="" connectionTimeout="20000" enableLookups="false" redirectPort="8443" />
 
-    <Connector address="0.0.0.0" port="8443" protocol="HTTP/1.1" 
-               server="" maxThreads="150"
+    <Connector address="0.0.0.0" port="8443"
+               protocol="org.apache.coyote.http11.Http11Nio2Protocol"
+               sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
                SSLEnabled="true" scheme="https" secure="true" 
-               sslEnabledProtocols="TLSv1.2"
-               clientAuth="false" enableLookups="false"
-               keystoreFile="configuration/keystore"
-               keystorePass="changeit"/>
+               enableLookups="false" maxThreads="150" server="">
+
+      <SSLHostConfig hostName="_default_"
+                     protocols="TLSv1.2" sslProtocol="TLSv1.2"
+                     honorCipherOrder="true"
+                     ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:HIGH:MEDIUM:!RC4:!3DES:!CAMELLIA:!SEED:!aNULL:!MD5:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP"
+                     certificateVerification="none">
+        <Certificate type="RSA"
+                     certificateKeystoreFile="configuration/keystore"
+                     certificateKeystorePassword="changeit"
+                     certificateKeystoreType="JKS"/>
+      </SSLHostConfig>
+
+    </Connector>
 
     <!-- 
     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" enableLookups="false" />
@@ -53,7 +66,8 @@
         <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>
         
         <Valve className="org.apache.catalina.valves.AccessLogValve" directory="serviceability/logs/access"
-               prefix="localhost_access_log." suffix=".txt" pattern="common"/>
+               prefix="localhost_access" suffix=".log" 
+               pattern="%t %h %u %H %m %U %s %D %b"/>
 
         <Valve className="org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve"/>
       </Host>