You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/10/05 15:15:12 UTC

[cxf] 03/04: CXF-7866 - Exclude DES, 3DES, MD5, CBC and RC4 ciphersuites as well by default

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit a9c0c7705f70054a70eb3e95439d2a37731e0332
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 5 14:16:15 2018 +0100

    CXF-7866 - Exclude DES, 3DES, MD5, CBC and RC4 ciphersuites as well by default
---
 .../src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java | 8 ++++++--
 .../apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java   | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
index ed79a51..6446719 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -67,12 +67,16 @@ public final class SSLUtils {
     private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
 
     /**
-     * By default, exclude NULL, anon and EXPORT ciphersuites
+     * By default, exclude NULL, anon, EXPORT, (3)DES, MD5, CBC and RC4 ciphersuites
      */
     private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE =
         Arrays.asList(new String[] {".*NULL.*",
                                     ".*anon.*",
-                                    ".*EXPORT.*"});
+                                    ".*EXPORT.*",
+                                    ".*DES.*",
+                                    ".*MD5",
+                                    ".*CBC.*",
+                                    ".*RC4.*"});
 
     private static volatile KeyManager[] defaultManagers;
 
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
index 7a4c54b..24f3904 100644
--- a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
@@ -688,7 +688,7 @@ public class CipherSuitesTest extends AbstractBusClientServerTestBase {
 
         // Check we have no anon/EXPORT/NULL/etc ciphersuites
         assertFalse(Arrays.stream(
-            filteredCipherSuites).anyMatch(c -> c.matches(".*NULL|anon|EXPORT.*")));
+            filteredCipherSuites).anyMatch(c -> c.matches(".*NULL|anon|EXPORT|DES|MD5|CBC|RC4.*")));
     }
 
     @org.junit.Test