Merge pull request #1022 from Boris-de/cipher_blacklist
disable all really weak cipher suites
This commit is contained in:
commit
1a5321e41f
|
@ -64,6 +64,15 @@ public final class Config {
|
|||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
};
|
||||
|
||||
public static final String WEAK_CIPHER_PATTERNS[] = {
|
||||
"_NULL_",
|
||||
"_EXPORT_",
|
||||
"_anon_",
|
||||
"_RC4_",
|
||||
"_DES_",
|
||||
"_MD5",
|
||||
};
|
||||
|
||||
private Config() {
|
||||
|
||||
}
|
||||
|
|
|
@ -4,6 +4,7 @@ import java.security.SecureRandom;
|
|||
import java.text.Normalizer;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Iterator;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
|
||||
|
@ -103,6 +104,21 @@ public final class CryptoHelper {
|
|||
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
||||
cipherSuites.retainAll(platformCiphers);
|
||||
cipherSuites.addAll(platformCiphers);
|
||||
filterWeakCipherSuites(cipherSuites);
|
||||
return cipherSuites.toArray(new String[cipherSuites.size()]);
|
||||
}
|
||||
|
||||
private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
|
||||
final Iterator<String> it = cipherSuites.iterator();
|
||||
while (it.hasNext()) {
|
||||
String cipherName = it.next();
|
||||
// remove all ciphers with no or very weak encryption or no authentication
|
||||
for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) {
|
||||
if (cipherName.contains(weakCipherPattern)) {
|
||||
it.remove();
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue