From 2736749e0eb88890b2770c2872db2cfb9a149660 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Wed, 30 Mar 2016 14:52:41 +0000
Subject: [PATCH] Chnage honorCipherOrder default to false.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1737117 13f79535-47bb-0310-9956-ffa450edef68
---
 conf/server.xml                                       | 1 -
 java/org/apache/coyote/http2/Http2UpgradeHandler.java | 2 --
 java/org/apache/tomcat/util/net/SSLHostConfig.java    | 2 +-
 webapps/docs/changelog.xml                            | 6 ++++++
 webapps/docs/config/http.xml                          | 2 +-
 5 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/conf/server.xml b/conf/server.xml
index 364e66b310fe..d1d3f728f77e 100644
--- a/conf/server.xml
+++ b/conf/server.xml
@@ -98,7 +98,6 @@
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
                maxThreads="150" SSLEnabled="true" >
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
-        <SSLHostConfig honorCipherOrder="false" >
             <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                          certificateFile="conf/localhost-rsa-cert.pem"
                          certificateChainFile="conf/localhost-rsa-chain.pem"
diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
index c8f3834e171a..db457a9cc398 100644
--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -66,8 +66,6 @@
  * <br>
  * Note:
  * <ul>
- * <li>Tomcat needs to be configured with honorCipherOrder="false" otherwise
- *     Tomcat will prefer a cipher suite that is blacklisted by HTTP/2.</li>
  * <li>You will need to nest an &lt;UpgradeProtocol
  *     className="org.apache.coyote.http2.Http2Protocol" /&gt; element inside
  *     a TLS enabled Connector element in server.xml to enable HTTP/2 support.
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index 475284bc1e62..fea18ba3a84f 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -83,7 +83,7 @@ public class SSLHostConfig {
     private String ciphers = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
     private LinkedHashSet<Cipher> cipherList = null;
     private List<String> jsseCipherNames = null;
-    private boolean honorCipherOrder = true;
+    private boolean honorCipherOrder = false;
     private Set<String> protocols = new HashSet<>();
     // JSSE
     private String keyManagerAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 27e0ca7aca62..86a37c043482 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -93,6 +93,12 @@
       <fix>
         Align cipher configuration parsing with current OpenSSL master. (markt)
       </fix>
+      <update>
+        Change the default for <code>honorCipherOrder</code> to
+        <code>false</code>. With the current default TLS configuration, it is no
+        longer necessary for this to be <code>true</code> for a reasonably
+        secure configuration. (markt)
+      </update>
     </changelog>
   </subsection>
   <subsection name="WebSocket">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 6bcf76ca4dcd..d3001afad013 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1111,7 +1111,7 @@
     <attribute name="honorCipherOrder" required="false">
       <p>Set to <code>true</code> to enforce the server's cipher order
       (from the <code>ciphers</code> setting) instead of allowing
-      the client to choose the cipher. The default is <code>true</code>.</p>
+      the client to choose the cipher. The default is <code>false</code>.</p>
     </attribute>
 
     <attribute name="hostName" required="false">