You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2018/10/03 15:57:53 UTC
svn commit: r1036085 - in /websites/production/cxf/content:
cache/docs.pageCache docs/tls-configuration.html
Author: buildbot
Date: Wed Oct 3 15:57:52 2018
New Revision: 1036085
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/tls-configuration.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/tls-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/tls-configuration.html (original)
+++ websites/production/cxf/content/docs/tls-configuration.html Wed Oct 3 15:57:52 2018
@@ -117,13 +117,15 @@ Apache CXF -- TLS Configuration
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1538560651783 {padding: 0px;}
-div.rbtoc1538560651783 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1538560651783 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1538582233163 {padding: 0px;}
+div.rbtoc1538582233163 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1538582233163 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1538560651783">
+/*]]>*/</style></p><div class="toc-macro rbtoc1538582233163">
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-TLSParameterscommontobothClientsandServers">TLS Parameters common to both Clients and Servers</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</a></li><li><a shape="rect" href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-KeyManagers">Key Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TrustManagers">Trust Managers</a></li><li><a shape="rect" href="#TLSConfiguration-TLSCipherSuites">TLS CipherSuites</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-CipherSuites">CipherSuites</a></li><li><a shape="rect" href="#TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</a></li></ul>
+</li><li><a shape="rect" href="#TLSConfiguration-CertConstraints">Cert Constraints</a></li></ul>
</li><li><a shape="rect" href="#TLSConfiguration-ClientTLSParameters">Client TLS Parameters</a>
<ul class="toc-indentation"><li><a shape="rect" href="#TLSConfiguration-DisableCNCheck">Disable CN Check</a></li></ul>
</li><li><a shape="rect" href="#TLSConfiguration-ServerTLSParameters">Server TLS Parameters</a>
@@ -147,13 +149,19 @@ div.rbtoc1538560651783 li {margin-left:
...
</httpj:tlsServerParameters>
</pre>
-</div></div><h2 id="TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</h2><p>The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES" filters as well, and 3.0.4 onwards additionally excludes all "EXPORT" filters.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl">
+</div></div><h2 id="TLSConfiguration-TLSCipherSuites">TLS CipherSuites</h2><p>When CXF selects the CipherSuites to use in a TLS Connection, it selects them in the following order:</p><ol><li>If we have defined explicit "cipherSuite" configuration (see below)</li><li>If we have defined ciphersuites via the system property "https.cipherSuites".</li><li>The default JVM CipherSuites, if no filters (see below) have been defined</li><li>Filter the supported cipher suites (*not* the default JVM CipherSuites)</li></ol><h3 id="TLSConfiguration-CipherSuites">CipherSuites</h3><p>We can select explicit CipherSuites to use in configuration, for example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites sample</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
+ ...
+ <sec:cipherSuites>
+ <sec:cipherSuite>TLS_AES_128_GCM_SHA256</sec:cipherSuite>
+ </sec:cipherSuites>
+ ...
+ </httpj:tlsServerParameters>
+</pre>
+</div></div><h3 id="TLSConfiguration-CipherSuitesFilter">CipherSuites Filter</h3><p>The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default ciphersuites that are excluded are as follows:</p><div class="table-wrap"><table class="confluenceTable"><colgroup span="1"><col span="1"><col span="1"></colgroup><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">CipherSuite Filter</th><th colspan="1" rowspan="1" class="confluenceTh">Since CXF version</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_NULL_.*</td><td colspan="1" rowspan="1" class="confluenceTd"><br clear="none"></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_anon_.*</td><td colspan="1" rowspan="1" class="confluenceTd"><br clear="none"></td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_DES_.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.0.3</td></tr><tr><td colspan="1" rowspan="1" c
lass="confluenceTd">.*_EXPORT_.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.0.4</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_3DES_.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_MD5</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_CBC_.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">.*_RC4_.*</td><td colspan="1" rowspan="1" class="confluenceTd">CXF 3.3.0</td></tr></tbody></table></div><p>Example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CipherSuites Filter sample</b></div><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"> <httpj:tlsServerParameters>
...
<sec:cipherSuitesFilter>
- <sec:include>.*_EXPORT_.*</sec:include>
- <sec:include>.*_EXPORT1024_.*</sec:include>
- <sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>