Merge pull request #1022 from Boris-de/cipher_blacklist

disable all really weak cipher suites
This commit is contained in:
Daniel Gultsch 2015-03-08 11:28:39 +01:00
commit 1a5321e41f
2 changed files with 25 additions and 0 deletions

View File

@ -64,6 +64,15 @@ public final class Config {
"TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA",
}; };
public static final String WEAK_CIPHER_PATTERNS[] = {
"_NULL_",
"_EXPORT_",
"_anon_",
"_RC4_",
"_DES_",
"_MD5",
};
private Config() { private Config() {
} }

View File

@ -4,6 +4,7 @@ import java.security.SecureRandom;
import java.text.Normalizer; import java.text.Normalizer;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet; import java.util.LinkedHashSet;
import java.util.List; import java.util.List;
@ -103,6 +104,21 @@ public final class CryptoHelper {
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites); final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
cipherSuites.retainAll(platformCiphers); cipherSuites.retainAll(platformCiphers);
cipherSuites.addAll(platformCiphers); cipherSuites.addAll(platformCiphers);
filterWeakCipherSuites(cipherSuites);
return cipherSuites.toArray(new String[cipherSuites.size()]); return cipherSuites.toArray(new String[cipherSuites.size()]);
} }
private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
final Iterator<String> it = cipherSuites.iterator();
while (it.hasNext()) {
String cipherName = it.next();
// remove all ciphers with no or very weak encryption or no authentication
for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) {
if (cipherName.contains(weakCipherPattern)) {
it.remove();
break;
}
}
}
}
} }