disable all really weak cipher suites
With #959 all ciphers of the platform were enabled, but this also includes several suites that are considered as very weak, even down to NULL- and anon-ciphers which disable completely disable encryption and/or authentication. Especially the anon-ciphers could be easily used for a mitm-attack. To remove all weak ciphers a blacklist with patterns of cipher-names was added to Config.java. The blacklist is based on the "mandatory discards" that Mozilla suggests to not use for TLS-servers because they are weak or known to be broken. https://wiki.mozilla.org/Security/Server_Side_TLS#Mandatory_discards
This commit is contained in:
parent
cbca92d209
commit
67f8ed44bd
|
@ -64,6 +64,15 @@ public final class Config {
|
||||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||||
};
|
};
|
||||||
|
|
||||||
|
public static final String WEAK_CIPHER_PATTERNS[] = {
|
||||||
|
"_NULL_",
|
||||||
|
"_EXPORT_",
|
||||||
|
"_anon_",
|
||||||
|
"_RC4_",
|
||||||
|
"_DES_",
|
||||||
|
"_MD5",
|
||||||
|
};
|
||||||
|
|
||||||
private Config() {
|
private Config() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,6 +4,7 @@ import java.security.SecureRandom;
|
||||||
import java.text.Normalizer;
|
import java.text.Normalizer;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
import java.util.Iterator;
|
||||||
import java.util.LinkedHashSet;
|
import java.util.LinkedHashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
@ -103,6 +104,21 @@ public final class CryptoHelper {
|
||||||
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites);
|
||||||
cipherSuites.retainAll(platformCiphers);
|
cipherSuites.retainAll(platformCiphers);
|
||||||
cipherSuites.addAll(platformCiphers);
|
cipherSuites.addAll(platformCiphers);
|
||||||
|
filterWeakCipherSuites(cipherSuites);
|
||||||
return cipherSuites.toArray(new String[cipherSuites.size()]);
|
return cipherSuites.toArray(new String[cipherSuites.size()]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static void filterWeakCipherSuites(final Collection<String> cipherSuites) {
|
||||||
|
final Iterator<String> it = cipherSuites.iterator();
|
||||||
|
while (it.hasNext()) {
|
||||||
|
String cipherName = it.next();
|
||||||
|
// remove all ciphers with no or very weak encryption or no authentication
|
||||||
|
for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) {
|
||||||
|
if (cipherName.contains(weakCipherPattern)) {
|
||||||
|
it.remove();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue