You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2011/12/12 16:18:31 UTC

svn commit: r1213270 - in /cxf/branches/2.4.x-fixes: ./ systests/ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/Bethal.cxf systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/https_config.xml

Author: dkulp
Date: Mon Dec 12 15:18:30 2011
New Revision: 1213270

URL: http://svn.apache.org/viewvc?rev=1213270&view=rev
Log:
Merged revisions 1212597 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1212597 | dkulp | 2011-12-09 14:43:42 -0500 (Fri, 09 Dec 2011) | 1 line
  
  More updates for algorithms for Java7
........

Modified:
    cxf/branches/2.4.x-fixes/   (props changed)
    cxf/branches/2.4.x-fixes/systests/   (props changed)
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/Bethal.cxf
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/https_config.xml

Propchange: cxf/branches/2.4.x-fixes/
            ('svn:mergeinfo' removed)

Propchange: cxf/branches/2.4.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Propchange: cxf/branches/2.4.x-fixes/systests/
            ('svn:mergeinfo' removed)

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/Bethal.cxf
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/Bethal.cxf?rev=1213270&r1=1213269&r2=1213270&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/Bethal.cxf (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/Bethal.cxf Mon Dec 12 15:18:30 2011
@@ -65,6 +65,7 @@
 	        <sec:include>.*_EXPORT_.*</sec:include>
 	        <sec:include>.*_EXPORT1024_.*</sec:include>
 	        <sec:include>.*_WITH_DES_.*</sec:include>
+            <sec:include>.*_WITH_AES_.*</sec:include>
 	        <sec:include>.*_WITH_NULL_.*</sec:include>
 	        <sec:exclude>.*_DH_anon_.*</sec:exclude>
 	      </sec:cipherSuitesFilter>

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/https_config.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/https_config.xml?rev=1213270&r1=1213269&r2=1213270&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/https_config.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/https_config.xml Mon Dec 12 15:18:30 2011
@@ -58,6 +58,18 @@ under the License.
                    <sec:keyStore type="JKS" password="password"
                         resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
                </sec:trustManagers>
+               <sec:cipherSuitesFilter>
+                    <!-- these filters ensure that a ciphersuite with
+                    export-suitable or null encryption is used,
+                    but exclude anonymous Diffie-Hellman key change as
+                    this is vulnerable to man-in-the-middle attacks -->
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_AES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
             </httpj:tlsServerParameters>
         </httpj:engine>
     </httpj:engine-factory>
@@ -75,6 +87,18 @@ under the License.
                 <sec:keyStore type="JKS" password="password"
                      resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
             </sec:trustManagers>
+            <sec:cipherSuitesFilter>
+                <!-- these filters ensure that a ciphersuite with
+		          export-suitable or null encryption is used,
+		          but exclude anonymous Diffie-Hellman key change as
+		          this is vulnerable to man-in-the-middle attacks -->
+		        <sec:include>.*_EXPORT_.*</sec:include>
+		        <sec:include>.*_EXPORT1024_.*</sec:include>
+		        <sec:include>.*_WITH_DES_.*</sec:include>
+		        <sec:include>.*_WITH_AES_.*</sec:include>
+		        <sec:include>.*_WITH_NULL_.*</sec:include>
+		        <sec:exclude>.*_DH_anon_.*</sec:exclude>
+            </sec:cipherSuitesFilter>
         </http:tlsClientParameters>
     </http:conduit>