Merge pull request #1022 from Boris-de/cipher_blacklist
disable all really weak cipher suites
This commit is contained in:
commit
1a5321e41f
|
@ -64,6 +64,15 @@ public final class Config {
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||||
};
|
};
|
||||||
|
|
||||||
|
public static final String WEAK_CIPHER_PATTERNS[] = {
|
||||||
|
"_NULL_",
|
||||||
|
"_EXPORT_",
|
||||||
|
"_anon_",
|
||||||
|
"_RC4_",
|
||||||
|
"_DES_",
|
||||||
|
"_MD5",
|
||||||
|
};
|
||||||
|
|
||||||
private Config() {
|
private Config() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ import java.security.SecureRandom;
|
||||||
import java.text.Normalizer;
|
import java.text.Normalizer;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
import java.util.Iterator;
|
||||||
import java.util.LinkedHashSet;
|
import java.util.LinkedHashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
@ -103,6 +104,21 @@ public final class CryptoHelper {
|
||||||
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
||||||
cipherSuites.retainAll(platformCiphers);
|
cipherSuites.retainAll(platformCiphers);
|
||||||
cipherSuites.addAll(platformCiphers);
|
cipherSuites.addAll(platformCiphers);
|
||||||
|
filterWeakCipherSuites(cipherSuites);
|
||||||
return cipherSuites.toArray(new String[cipherSuites.size()]);
|
return cipherSuites.toArray(new String[cipherSuites.size()]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
|
||||||
|
final Iterator<String> it = cipherSuites.iterator();
|
||||||
|
while (it.hasNext()) {
|
||||||
|
String cipherName = it.next();
|
||||||
|
// remove all ciphers with no or very weak encryption or no authentication
|
||||||
|
for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) {
|
||||||
|
if (cipherName.contains(weakCipherPattern)) {
|
||||||
|
it.remove();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue