You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/10/03 16:14:47 UTC
[cxf] 06/07: CXF-7862 - Exclude 3DES, MD5,
CBC and RC4 ciphersuites as well by default
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 26568235d6db6ef44a74dac1ea1746319913c354
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Oct 3 16:39:58 2018 +0100
CXF-7862 - Exclude 3DES, MD5, CBC and RC4 ciphersuites as well by default
---
.../main/java/org/apache/cxf/configuration/jsse/SSLUtils.java | 8 ++++++--
.../transport/http/spring/HttpConduitConfigurationTest.java | 2 +-
.../java/org/apache/cxf/transport/http/spring/conduit-bean.xml | 10 +---------
.../apache/cxf/transport/http/spring/conduit-tlsrefs-bean.xml | 10 +---------
4 files changed, 9 insertions(+), 21 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index acea7cc..9d8467b 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -68,13 +68,17 @@ public final class SSLUtils {
private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_INCLUDE =
Arrays.asList(new String[] {".*"});
/**
- * By default, exclude NULL, anon, EXPORT, DES ciphersuites
+ * By default, exclude NULL, anon, EXPORT, DES, 3DES, MD5, CBC and RC4 ciphersuites
*/
private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE =
Arrays.asList(new String[] {".*_NULL_.*",
".*_anon_.*",
".*_EXPORT_.*",
- ".*_DES_.*"});
+ ".*_DES_.*",
+ ".*_3DES_.*",
+ ".*_MD5",
+ ".*_CBC_.*",
+ ".*_RC4_.*"});
private static volatile KeyManager[] defaultManagers;
diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
index 2bcb81d..a480ab6 100644
--- a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
+++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
@@ -105,7 +105,7 @@ public class HttpConduitConfigurationTest extends Assert {
FiltersType csfs = tlscps.getCipherSuitesFilter();
assertNotNull(csfs);
- assertEquals(5, csfs.getInclude().size());
+ assertEquals(1, csfs.getInclude().size());
assertEquals(1, csfs.getExclude().size());
HTTPClientPolicy clientPolicy = conduit.getClient();
assertEquals(10240, clientPolicy.getChunkLength());
diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-bean.xml b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-bean.xml
index d2e7e7f..bc0dbd3 100644
--- a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-bean.xml
+++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-bean.xml
@@ -27,16 +27,8 @@
<sec:keyStore type="JKS" password="password" resource="org/apache/cxf/transport/https/resources/Gordy.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
- <!-- these filters ensure that a ciphersuite with
- export-suitable or null encryption is used,
- but exclude anonymous Diffie-Hellman key change as
- this is vulnerable to man-in-the-middle attacks -->
- <sec:include>.*_EXPORT_.*</sec:include>
- <sec:include>.*_EXPORT1024_.*</sec:include>
- <sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
- <sec:include>.*_WITH_NULL_.*</sec:include>
- <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ <sec:exclude>.*_CBC_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>
diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-tlsrefs-bean.xml b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-tlsrefs-bean.xml
index a7e60a5..acf654b 100644
--- a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-tlsrefs-bean.xml
+++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/conduit-tlsrefs-bean.xml
@@ -25,16 +25,8 @@
<sec:keyManagers ref="keyManagers"/>
<sec:trustManagers ref="trustManagers"/>
<sec:cipherSuitesFilter>
- <!-- these filters ensure that a ciphersuite with
- export-suitable or null encryption is used,
- but exclude anonymous Diffie-Hellman key change as
- this is vulnerable to man-in-the-middle attacks -->
- <sec:include>.*_EXPORT_.*</sec:include>
- <sec:include>.*_EXPORT1024_.*</sec:include>
- <sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
- <sec:include>.*_WITH_NULL_.*</sec:include>
- <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ <sec:exclude>.*_CBC_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<http:authorization>