[CXF-6300] - cipherSuite configuration does not work with HTTPJ servers
Conflicts:
core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/80cdbd72
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/80cdbd72
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/80cdbd72
Branch: refs/heads/2.7.x-fixes
Commit: 80cdbd72891c028d331bd365398cd8ea2843b1bf
Parents: 16f466d
Author: Colm O hEigeartaigh <cohei...@apache.org>
Authored: Fri Mar 13 17:16:56 2015 +0000
Committer: Colm O hEigeartaigh <cohei...@apache.org>
Committed: Fri Mar 13 17:23:41 2015 +0000
----------------------------------------------------------------------
.../apache/cxf/configuration/jsse/SSLUtils.java | 742 +++++++++++++++++++
.../https/ciphersuites/CipherSuitesTest.java | 418 +++++++++++
.../ciphersuites-explicit-client.xml | 37 +
.../https/ciphersuites/ciphersuites-server.xml | 117 +++
4 files changed, 1314 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/80cdbd72/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
new file mode 100644
index 0000000..ebae85d
--- /dev/null
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java
@@ -0,0 +1,742 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.configuration.jsse;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.SystemPropertyAction;
+import org.apache.cxf.configuration.security.FiltersType;
+
+
+/**
+ * Holder for utility methods related to manipulating SSL settings, common
+ * to the connection and listener factories (previously duplicated).
+ */
+public final class SSLUtils {
+
+ static final String PKCS12_TYPE = "PKCS12";
+
+ private static final String DEFAULT_KEYSTORE_TYPE = "PKCS12";
+ private static final String DEFAULT_TRUST_STORE_TYPE = "JKS";
+ private static final String DEFAULT_SECURE_SOCKET_PROTOCOL = "TLSv1";
+ private static final String CERTIFICATE_FACTORY_TYPE = "X.509";
+
+ private static final String HTTPS_CIPHER_SUITES = "https.cipherSuites";
+
+ private static final boolean DEFAULT_REQUIRE_CLIENT_AUTHENTICATION = false;
+ private static final boolean DEFAULT_WANT_CLIENT_AUTHENTICATION = true;
+
+ private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_INCLUDE =
+ Arrays.asList(new String[] {".*"});
+ /**
+ * By default, exclude NULL, anon, EXPORT, DES ciphersuites
+ */
+ private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE =
+ Arrays.asList(new String[] {".*_NULL_.*",
+ ".*_anon_.*",
+ ".*_EXPORT_.*",
+ ".*_DES_.*"});
+
+ private static volatile KeyManager[] defaultManagers;
+
+ private SSLUtils() {
+ }
+
+ public static KeyManager[] getKeyStoreManagers(
+ String keyStoreLocation,
+ String keyStoreType,
+ String keyStorePassword,
+ String keyPassword,
+ String keyStoreMgrFactoryAlgorithm,
+ String secureSocketProtocol,
+ Logger log)
+ throws Exception {
+ //TODO for performance reasons we should cache
+ // the KeymanagerFactory and TrustManagerFactory
+ if ((keyStorePassword != null)
+ && (keyPassword != null)
+ && (!keyStorePassword.equals(keyPassword))) {
+ LogUtils.log(log,
+ Level.WARNING,
+ "KEY_PASSWORD_NOT_SAME_KEYSTORE_PASSWORD");
+ }
+ KeyManager[] keystoreManagers = null;
+ KeyManagerFactory kmf =
+ KeyManagerFactory.getInstance(keyStoreMgrFactoryAlgorithm);
+ KeyStore ks = KeyStore.getInstance(keyStoreType);
+
+ if (keyStoreType.equalsIgnoreCase(PKCS12_TYPE)) {
+ DataInputStream dis = null;
+ byte[] bytes = null;
+ try {
+ FileInputStream fis = new FileInputStream(keyStoreLocation);
+ dis = new DataInputStream(fis);
+ bytes = new byte[dis.available()];
+ dis.readFully(bytes);
+ } finally {
+ if (dis != null) {
+ dis.close();
+ }
+ }
+ ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
+
+ if (keyStorePassword != null) {
+ keystoreManagers = loadKeyStore(kmf,
+ ks,
+ bin,
+ keyStoreLocation,
+ keyStorePassword,
+ log);
+ }
+ } else {
+ byte[] sslCert = loadClientCredential(keyStoreLocation);
+
+ if (sslCert != null && sslCert.length > 0 && keyStorePassword !=
null) {
+ ByteArrayInputStream bin = new ByteArrayInputStream(sslCert);
+ keystoreManagers = loadKeyStore(kmf,
+ ks,
+ bin,
+ keyStoreLocation,
+ keyStorePassword,
+ log);
+ }
+ }
+ if ((keyStorePassword == null) && (keyStoreLocation != null)) {
+ LogUtils.log(log, Level.WARNING,
+ "FAILED_TO_LOAD_KEYSTORE_NULL_PASSWORD",
+ keyStoreLocation);
+ }
+ return keystoreManagers;
+ }
+
+ public static KeyManager[] getDefaultKeyStoreManagers(Logger log) {
+ if (defaultManagers == null) {
+ loadDefaultKeyManagers(log);
+ }
+ if (defaultManagers.length == 0) {
+ return null;
+ }
+ return defaultManagers;
+ }
+ private static synchronized void loadDefaultKeyManagers(Logger log) {
+ if (defaultManagers != null) {
+ return;
+ }
+
+ String location = getKeystore(null, log);
+ String keyStorePassword = getKeystorePassword(null, log);
+ String keyPassword = getKeyPassword(null, log);
+ FileInputStream fis = null;
+
+ try {
+ File file = new File(location);
+ if (file.exists()) {
+ KeyManagerFactory kmf =
+
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+
+ fis = new FileInputStream(file);
+ ks.load(fis, (keyStorePassword != null) ?
keyStorePassword.toCharArray() : null);
+ kmf.init(ks, (keyPassword != null) ? keyPassword.toCharArray()
: null);
+ defaultManagers = kmf.getKeyManagers();
+ } else {
+ log.log(Level.FINER, "No default keystore {0}", location);
+ defaultManagers = new KeyManager[0];
+ }
+ } catch (Exception e) {
+ log.log(Level.WARNING, "Default key managers cannot be
initialized: " + e.getMessage(), e);
+ defaultManagers = new KeyManager[0];
+ } finally {
+ if (fis != null) {
+ try {
+ fis.close();
+ } catch (IOException e) {
+ log.warning("Keystore stream cannot be closed: " +
e.getMessage());
+ }
+ }
+ }
+ }
+
+ public static KeyManager[] loadKeyStore(KeyManagerFactory kmf,
+ KeyStore ks,
+ ByteArrayInputStream bin,
+ String keyStoreLocation,
+ String keyStorePassword,
+ Logger log) {
+ KeyManager[] keystoreManagers = null;
+ try {
+ ks.load(bin, keyStorePassword.toCharArray());
+ kmf.init(ks, keyStorePassword.toCharArray());
+ keystoreManagers = kmf.getKeyManagers();
+ LogUtils.log(log,
+ Level.FINE,
+ "LOADED_KEYSTORE",
+ keyStoreLocation);
+ } catch (Exception e) {
+ LogUtils.log(log,
+ Level.WARNING,
+ "FAILED_TO_LOAD_KEYSTORE",
+ new Object[]{keyStoreLocation, e.getMessage()});
+ }
+ return keystoreManagers;
+ }
+
+ public static TrustManager[] getTrustStoreManagers(
+ boolean pkcs12,
+ String trustStoreType,
+ String trustStoreLocation,
+ String trustStoreMgrFactoryAlgorithm,
+ Logger log)
+ throws Exception {
+ // ********************** Load Trusted CA file **********************
+
+ KeyStore trustedCertStore = KeyStore.getInstance(trustStoreType);
+
+ if (pkcs12) {
+ //TODO could support multiple trust cas
+
+ trustedCertStore.load(null, "".toCharArray());
+ CertificateFactory cf =
CertificateFactory.getInstance(CERTIFICATE_FACTORY_TYPE);
+ byte[] caCert = loadCACert(trustStoreLocation);
+ try {
+ if (caCert != null) {
+ ByteArrayInputStream cabin = new
ByteArrayInputStream(caCert);
+ X509Certificate cert =
(X509Certificate)cf.generateCertificate(cabin);
+
trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert);
+ cabin.close();
+ }
+ } catch (Exception e) {
+ LogUtils.log(log, Level.WARNING, "FAILED_TO_LOAD_TRUST_STORE",
+ new Object[]{trustStoreLocation, e.getMessage()});
+ }
+ } else {
+ FileInputStream trustStoreInputStream = null;
+ try {
+ trustStoreInputStream = new
FileInputStream(trustStoreLocation);
+ trustedCertStore.load(trustStoreInputStream, null);
+ } finally {
+ if (trustStoreInputStream != null) {
+ trustStoreInputStream.close();
+ }
+ }
+ }
+
+ TrustManagerFactory tmf =
+ TrustManagerFactory.getInstance(trustStoreMgrFactoryAlgorithm);
+ tmf.init(trustedCertStore);
+ LogUtils.log(log, Level.FINE, "LOADED_TRUST_STORE",
trustStoreLocation);
+ return tmf.getTrustManagers();
+ }
+
+ protected static byte[] loadClientCredential(String fileName) throws
IOException {
+ if (fileName == null) {
+ return null;
+ }
+ FileInputStream in = null;
+ try {
+ in = new FileInputStream(fileName);
+ ByteArrayOutputStream out = new ByteArrayOutputStream();
+ byte[] buf = new byte[512];
+ int i = in.read(buf);
+ while (i > 0) {
+ out.write(buf, 0, i);
+ i = in.read(buf);
+ }
+ return out.toByteArray();
+ } finally {
+ if (in != null) {
+ in.close();
+ }
+ }
+ }
+
+ protected static byte[] loadCACert(String fileName) throws IOException {
+ if (fileName == null) {
+ return null;
+ }
+ FileInputStream in = null;
+ try {
+ in = new FileInputStream(fileName);
+ ByteArrayOutputStream out = new ByteArrayOutputStream();
+ byte[] buf = new byte[512];
+ int i = in.read(buf);
+
+ while (i > 0) {
+ out.write(buf, 0, i);
+ i = in.read(buf);
+ }
+ return out.toByteArray();
+ } finally {
+ if (in != null) {
+ in.close();
+ }
+ }
+ }
+
+ public static String getKeystore(String keyStoreLocation, Logger log) {
+ String logMsg = null;
+ if (keyStoreLocation != null) {
+ logMsg = "KEY_STORE_SET";
+ } else {
+ keyStoreLocation =
SystemPropertyAction.getProperty("javax.net.ssl.keyStore");
+ if (keyStoreLocation != null) {
+ logMsg = "KEY_STORE_SYSTEM_PROPERTY_SET";
+ } else {
+ keyStoreLocation =
+ SystemPropertyAction.getProperty("user.home") +
"/.keystore";
+ logMsg = "KEY_STORE_NOT_SET";
+ }
+ }
+ LogUtils.log(log, Level.FINE, logMsg, keyStoreLocation);
+ return keyStoreLocation;
+ }
+
+ public static String getKeystoreType(String keyStoreType, Logger log) {
+ return getKeystoreType(keyStoreType, log, DEFAULT_KEYSTORE_TYPE);
+ }
+ public static String getKeystoreType(String keyStoreType, Logger log,
String def) {
+ String logMsg = null;
+ if (keyStoreType != null) {
+ logMsg = "KEY_STORE_TYPE_SET";
+ } else {
+ keyStoreType =
SystemPropertyAction.getProperty("javax.net.ssl.keyStoreType", null);
+ if (keyStoreType == null) {
+ keyStoreType = def;
+ logMsg = "KEY_STORE_TYPE_NOT_SET";
+ } else {
+ logMsg = "KEY_STORE_TYPE_SYSTEM_SET";
+ }
+ }
+ LogUtils.log(log, Level.FINE, logMsg, keyStoreType);
+ return keyStoreType;
+ }
+ public static String getKeystoreProvider(String keyStoreProvider, Logger
log) {
+ String logMsg = null;
+ if (keyStoreProvider != null) {
+ logMsg = "KEY_STORE_PROVIDER_SET";
+ } else {
+ keyStoreProvider =
SystemPropertyAction.getProperty("javax.net.ssl.keyStoreProvider", null);
+ if (keyStoreProvider == null) {
+ logMsg = "KEY_STORE_PROVIDER_NOT_SET";
+ } else {
+ logMsg = "KEY_STORE_PROVIDER_SYSTEM_SET";
+ }
+ }
+ LogUtils.log(log, Level.FINE, logMsg, keyStoreProvider);
+ return keyStoreProvider;
+ }
+
+ public static String getKeystorePassword(String keyStorePassword,
+ Logger log) {
+ String logMsg = null;
+ if (keyStorePassword != null) {
+ logMsg = "KEY_STORE_PASSWORD_SET";
+ } else {
+ keyStorePassword =
+
SystemPropertyAction.getProperty("javax.net.ssl.keyStorePassword");
+ logMsg = keyStorePassword != null
+ ? "KEY_STORE_PASSWORD_SYSTEM_PROPERTY_SET"
+ : "KEY_STORE_PASSWORD_NOT_SET";
+ }
+ LogUtils.log(log, Level.FINE, logMsg);
+ return keyStorePassword;
+ }
+
+ public static String getKeyPassword(String keyPassword, Logger log) {
+ String logMsg = null;
+ if (keyPassword != null) {
+ logMsg = "KEY_PASSWORD_SET";
+ } else {
+ keyPassword =
+ SystemPropertyAction.getProperty("javax.net.ssl.keyPassword");
+ if (keyPassword == null) {
+ keyPassword =
+
SystemPropertyAction.getProperty("javax.net.ssl.keyStorePassword");
+ }
+ logMsg = keyPassword != null
+ ? "KEY_PASSWORD_SYSTEM_PROPERTY_SET"
+ : "KEY_PASSWORD_NOT_SET";
+ }
+ LogUtils.log(log, Level.FINE, logMsg);
+ return keyPassword;
+ }
+
+ public static String getKeystoreAlgorithm(
+ String keyStoreMgrFactoryAlgorithm,
+ Logger log) {
+ String logMsg = null;
+ if (keyStoreMgrFactoryAlgorithm != null) {
+ logMsg = "KEY_STORE_ALGORITHM_SET";
+ } else {
+ keyStoreMgrFactoryAlgorithm =
+ KeyManagerFactory.getDefaultAlgorithm();
+ logMsg = "KEY_STORE_ALGORITHM_NOT_SET";
+ }
+ LogUtils.log(log, Level.FINE, logMsg, keyStoreMgrFactoryAlgorithm);
+ return keyStoreMgrFactoryAlgorithm;
+ }
+
+ public static String getTrustStoreAlgorithm(
+ String trustStoreMgrFactoryAlgorithm,
+ Logger log) {
+ String logMsg = null;
+ if (trustStoreMgrFactoryAlgorithm != null) {
+ logMsg = "TRUST_STORE_ALGORITHM_SET";
+ } else {
+ trustStoreMgrFactoryAlgorithm =
+ TrustManagerFactory.getDefaultAlgorithm();
+ logMsg = "TRUST_STORE_ALGORITHM_NOT_SET";
+ }
+ LogUtils.log(log, Level.FINE, logMsg, trustStoreMgrFactoryAlgorithm);
+ return trustStoreMgrFactoryAlgorithm;
+ }
+
+ public static SSLContext getSSLContext(String protocol,
+ KeyManager[] keyStoreManagers,
+ TrustManager[] trustStoreManagers)
+ throws NoSuchAlgorithmException, KeyManagementException {
+ SSLContext ctx = SSLContext.getInstance(protocol);
+ ctx.init(keyStoreManagers, trustStoreManagers, null);
+ return ctx;
+ }
+
+ public static String[] getSupportedCipherSuites(SSLContext context) {
+ return context.getSocketFactory().getSupportedCipherSuites();
+ }
+
+ public static String[] getServerSupportedCipherSuites(SSLContext context) {
+ return context.getServerSocketFactory().getSupportedCipherSuites();
+ }
+
+ public static String[] getCiphersuites(List<String> cipherSuitesList,
+ String[] supportedCipherSuites,
+ FiltersType filters,
+ Logger log, boolean exclude) {
+
+ // First check the "include" case only. If we have defined explicit
"cipherSuite"
+ // configuration, then just return these. Otherwise see if we have
defined ciphersuites
+ // via a system property.
+ if (!exclude) {
+ if (!(cipherSuitesList == null || cipherSuitesList.isEmpty())) {
+ return getCiphersFromList(cipherSuitesList, log, exclude);
+ } else {
+ String[] cipherSuites = getSystemCiphersuites(log);
+ if (cipherSuites != null) {
+ return cipherSuites;
+ }
+ }
+ }
+
+ // Otherwise check the "include/exclude" cipherSuiteFilter
configuration
+
+ LogUtils.log(log, Level.FINE, "CIPHERSUITES_NOT_SET");
+ if (filters == null) {
+ LogUtils.log(log, Level.FINE, "CIPHERSUITE_FILTERS_NOT_SET");
+ }
+ List<String> filteredCipherSuites = new ArrayList<String>();
+ List<String> excludedCipherSuites = new ArrayList<String>();
+ List<Pattern> includes =
+ filters != null
+ ? compileRegexPatterns(filters.getInclude(), true, log)
+ : compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_INCLUDE,
true, log);
+ List<Pattern> excludes =
+ filters != null
+ ? compileRegexPatterns(filters.getExclude(), false, log)
+ : compileRegexPatterns(DEFAULT_CIPHERSUITE_FILTERS_EXCLUDE,
true, log);
+ for (int i = 0; i < supportedCipherSuites.length; i++) {
+ if (matchesOneOf(supportedCipherSuites[i], includes)
+ && !matchesOneOf(supportedCipherSuites[i], excludes)) {
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITE_INCLUDED",
+ supportedCipherSuites[i]);
+ filteredCipherSuites.add(supportedCipherSuites[i]);
+ } else {
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITE_EXCLUDED",
+ supportedCipherSuites[i]);
+ excludedCipherSuites.add(supportedCipherSuites[i]);
+ }
+ }
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITES_FILTERED",
+ filteredCipherSuites);
+ LogUtils.log(log,
+ Level.FINE,
+ "CIPHERSUITES_EXCLUDED",
+ excludedCipherSuites);
+ if (exclude) {
+ return getCiphersFromList(excludedCipherSuites, log, exclude);
+ } else {
+ return getCiphersFromList(filteredCipherSuites, log, exclude);
+ }
+ }
+
+ private static String[] getSystemCiphersuites(Logger log) {
+ String jvmCipherSuites = System.getProperty(HTTPS_CIPHER_SUITES);
+ if ((jvmCipherSuites != null) && (!jvmCipherSuites.isEmpty())) {
+ LogUtils.log(log, Level.FINE, "CIPHERSUITES_SYSTEM_PROPERTY_SET",
jvmCipherSuites);
+ return jvmCipherSuites.split(",");
+ } else {
+ return null;
+ }
+
+ }
+
+ private static List<Pattern> compileRegexPatterns(List<String> regexes,
+ boolean include,
+ Logger log) {
+ List<Pattern> patterns = new ArrayList<Pattern>();
+ if (regexes != null) {
+ String msg = include
+ ? "CIPHERSUITE_INCLUDE_FILTER"
+ : "CIPHERSUITE_EXCLUDE_FILTER";
+ for (String s : regexes) {
+ LogUtils.log(log, Level.FINE, msg, s);
+ patterns.add(Pattern.compile(s));
+ }
+ }
+ return patterns;
+ }
+
+ private static boolean matchesOneOf(String s, List<Pattern> patterns) {
+ boolean matches = false;
+ if (patterns != null) {
+ for (Pattern pattern : patterns) {
+ Matcher matcher = pattern.matcher(s);
+ if (matcher.matches()) {
+ matches = true;
+ break;
+ }
+ }
+ }
+ return matches;
+ }
+
+ private static String[] getCiphersFromList(List<String> cipherSuitesList,
+ Logger log,
+ boolean exclude) {
+ int numCipherSuites = cipherSuitesList.size();
+ String[] cipherSuites = cipherSuitesList.toArray(new
String[numCipherSuites]);
+ if (log.isLoggable(Level.FINE)) {
+ StringBuilder ciphsStr = new StringBuilder();
+ for (String s : cipherSuites) {
+ if (ciphsStr.length() != 0) {
+ ciphsStr.append(", ");
+ }
+ ciphsStr.append(s);
+ }
+ LogUtils.log(log, Level.FINE,
+ exclude ? "CIPHERSUITES_EXCLUDED" : "CIPHERSUITES_SET",
ciphsStr.toString());
+ }
+ return cipherSuites;
+ }
+
+ public static String getTrustStore(String trustStoreLocation, Logger log) {
+ String logMsg = null;
+ if (trustStoreLocation != null) {
+ logMsg = "TRUST_STORE_SET";
+ } else {
+ trustStoreLocation =
SystemPropertyAction.getProperty("javax.net.ssl.trustStore");
+ if (trustStoreLocation != null) {
+ logMsg = "TRUST_STORE_SYSTEM_PROPERTY_SET";
+ } else {
+ trustStoreLocation =
+ SystemPropertyAction.getProperty("java.home") +
"/lib/security/cacerts";
+ logMsg = "TRUST_STORE_NOT_SET";
+ }
+ }
+ LogUtils.log(log, Level.FINE, logMsg, trustStoreLocation);
+ return trustStoreLocation;
+ }
+
+ public static String getTrustStoreType(String trustStoreType, Logger log) {
+ String logMsg = null;
+ if (trustStoreType != null) {
+ logMsg = "TRUST_STORE_TYPE_SET";
+ } else {
+ //Can default to JKS
+ trustStoreType =
SystemPropertyAction.getProperty("javax.net.ssl.trustStoreType");
+ if (trustStoreType == null) {
+ trustStoreType = DEFAULT_TRUST_STORE_TYPE;
+ logMsg = "TRUST_STORE_TYPE_NOT_SET";
+ } else {
+ logMsg = "TRUST_STORE_TYPE_SYSTEM_SET";
+ }
+ }
+ LogUtils.log(log, Level.FINE, logMsg, trustStoreType);
+ return trustStoreType;
+ }
+
+ public static String getSecureSocketProtocol(String secureSocketProtocol,
+ Logger log) {
+ if (secureSocketProtocol != null) {
+ LogUtils.log(log,
+ Level.FINE,
+ "SECURE_SOCKET_PROTOCOL_SET",
+ secureSocketProtocol);
+ } else {
+ LogUtils.log(log, Level.FINE, "SECURE_SOCKET_PROTOCOL_NOT_SET");
+ secureSocketProtocol = DEFAULT_SECURE_SOCKET_PROTOCOL;
+ }
+ return secureSocketProtocol;
+ }
+
+ public static boolean getRequireClientAuthentication(
+ boolean isSetRequireClientAuthentication,
+ Boolean isRequireClientAuthentication,
+ Logger log) {
+ boolean requireClientAuthentication =
+ DEFAULT_REQUIRE_CLIENT_AUTHENTICATION;
+ if (isSetRequireClientAuthentication) {
+ requireClientAuthentication =
+ isRequireClientAuthentication.booleanValue();
+ LogUtils.log(log,
+ Level.FINE,
+ "REQUIRE_CLIENT_AUTHENTICATION_SET",
+ requireClientAuthentication);
+ } else {
+ LogUtils.log(log,
+ Level.WARNING,
+ "REQUIRE_CLIENT_AUTHENTICATION_NOT_SET");
+ }
+ return requireClientAuthentication;
+ }
+
+ public static boolean getWantClientAuthentication(
+ boolean isSetWantClientAuthentication,
+ Boolean isWantClientAuthentication,
+ Logger log) {
+ boolean wantClientAuthentication =
+ DEFAULT_WANT_CLIENT_AUTHENTICATION;
+ if (isSetWantClientAuthentication) {
+ wantClientAuthentication =
+ isWantClientAuthentication.booleanValue();
+ LogUtils.log(log,
+ Level.FINE,
+ "WANT_CLIENT_AUTHENTICATION_SET",
+ wantClientAuthentication);
+ } else {
+ LogUtils.log(log,
+ Level.WARNING,
+ "WANT_CLIENT_AUTHENTICATION_NOT_SET");
+ }
+ return wantClientAuthentication;
+ }
+
+
+
+ public static void logUnSupportedPolicies(Object policy,
+ boolean client,
+ String[] unsupported,
+ Logger log) {
+ for (int i = 0; i < unsupported.length; i++) {
+ try {
+ Method method = policy.getClass().getMethod("isSet" +
unsupported[i]);
+ boolean isSet =
+ ((Boolean)method.invoke(policy,
(Object[])null)).booleanValue();
+ logUnSupportedPolicy(isSet, client, unsupported[i], log);
+ } catch (Exception e) {
+ // ignore
+ }
+ }
+ }
+
+ private static void logUnSupportedPolicy(boolean isSet,
+ boolean client,
+ String policy,
+ Logger log) {
+ if (isSet) {
+ LogUtils.log(log,
+ Level.WARNING,
+ client
+ ? "UNSUPPORTED_SSL_CLIENT_POLICY_DATA"
+ : "UNSUPPORTED_SSL_SERVER_POLICY_DATA",
+ policy);
+ }
+ }
+
+ public static boolean testAllDataHasSetupMethod(Object policy,
+ String[] unsupported,
+ String[] derivative) {
+ Method[] sslPolicyMethods = policy.getClass().getDeclaredMethods();
+ Method[] methods = SSLUtils.class.getMethods();
+ boolean ok = true;
+
+ for (int i = 0; i < sslPolicyMethods.length && ok; i++) {
+ String sslPolicyMethodName = sslPolicyMethods[i].getName();
+ if (sslPolicyMethodName.startsWith("isSet")) {
+ String dataName =
+ sslPolicyMethodName.substring("isSet".length(),
+
sslPolicyMethodName.length());
+ String thisMethodName = "get" + dataName;
+ ok = hasMethod(methods, thisMethodName)
+ || isExcluded(unsupported, dataName)
+ || isExcluded(derivative, dataName);
+ }
+ }
+ return ok;
+ }
+
+ private static boolean hasMethod(Method[] methods, String methodName) {
+ boolean found = false;
+ for (int i = 0; i < methods.length && !found; i++) {
+ found = methods[i].getName().equals(methodName);
+ }
+ return found;
+ }
+
+ private static boolean isExcluded(String[] excluded,
+ String dataName) {
+ boolean found = false;
+ for (int i = 0; i < excluded.length && !found; i++) {
+ found = excluded[i].equals(dataName);
+ }
+ return found;
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/80cdbd72/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
----------------------------------------------------------------------
diff --git
a/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
new file mode 100644
index 0000000..3a93002
--- /dev/null
+++
b/systests/transports/src/test/java/org/apache/cxf/systest/https/ciphersuites/CipherSuitesTest.java
@@ -0,0 +1,418 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.https.ciphersuites;
+
+import java.net.URL;
+
+import javax.xml.ws.BindingProvider;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.hello_world.Greeter;
+import org.apache.hello_world.services.SOAPService;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+/**
+ * A set of tests for TLS ciphersuites
+ */
+public class CipherSuitesTest extends AbstractBusClientServerTestBase {
+ static final String PORT = allocatePort(CipherSuitesServer.class);
+ static final String PORT2 = allocatePort(CipherSuitesServer.class, 2);
+ static final String PORT3 = allocatePort(CipherSuitesServer.class, 3);
+ static final String PORT4 = allocatePort(CipherSuitesServer.class, 4);
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(CipherSuitesServer.class, true)
+ );
+ }
+
+ @AfterClass
+ public static void cleanup() throws Exception {
+ stopAllServers();
+ }
+
+ // Both client + server include AES
+ @org.junit.Test
+ public void testAESIncluded() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include AES
+ @org.junit.Test
+ public void testAESIncludedAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include a specific AES CipherSuite (not via a
filter)
+ @org.junit.Test
+ public void testAESIncludedExplicitly() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-explicit-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT4);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client only includes RC4, server only includes AES
+ @org.junit.Test
+ public void testClientRC4ServerAESIncluded() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-rc4-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client only includes RC4, server only includes AES
+ @org.junit.Test
+ public void testClientRC4ServerAESIncludedAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-rc4-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include RC4
+ @org.junit.Test
+ public void testRC4Included() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-rc4-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT2);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include RC4
+ @org.junit.Test
+ public void testRC4IncludedAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-rc4-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT2);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client only includes AES, server only includes RC4
+ @org.junit.Test
+ public void testClientAESServerRC4Included() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT2);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client only includes AES, server only includes RC4
+ @org.junit.Test
+ public void testClientAESServerRC4IncludedAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT2);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include NULL
+ @org.junit.Test
+ public void testNULLIncluded() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-null-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT3);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Both client + server include NULL
+ @org.junit.Test
+ public void testNULLIncludedAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-null-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT3);
+
+ assertEquals(port.greetMe("Kitty"), "Hello Kitty");
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not allow NULL
+ @org.junit.Test
+ public void testClientAESServerNULL() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ updateAddressPort(port, PORT3);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ // Client does not allow NULL
+ @org.junit.Test
+ public void testClientAESServerNULLAsync() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
CipherSuitesTest.class.getResource("ciphersuites-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL url = SOAPService.WSDL_LOCATION;
+ SOAPService service = new SOAPService(url, SOAPService.SERVICE);
+ assertNotNull("Service is null", service);
+ final Greeter port = service.getHttpsPort();
+ assertNotNull("Port is null", port);
+
+ // Enable Async
+
((BindingProvider)port).getRequestContext().put("use.async.http.conduit", true);
+
+ updateAddressPort(port, PORT3);
+
+ try {
+ port.greetMe("Kitty");
+ fail("Failure expected on not being able to negotiate a cipher
suite");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/80cdbd72/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-explicit-client.xml
----------------------------------------------------------------------
diff --git
a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-explicit-client.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-explicit-client.xml
new file mode 100644
index 0000000..fcd9424
--- /dev/null
+++
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-explicit-client.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy";
xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli
cy.xsd">
+
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <http:conduit name="https://localhost:.*";>
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password"
resource="keys/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:cipherSuites>
+ <sec:cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</sec:cipherSuite>
+ </sec:cipherSuites>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/80cdbd72/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
----------------------------------------------------------------------
diff --git
a/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
new file mode 100644
index 0000000..6ce8b0a
--- /dev/null
+++
b/systests/transports/src/test/resources/org/apache/cxf/systest/https/ciphersuites/ciphersuites-server.xml
@@ -0,0 +1,117 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy";
xsi:schemaLocation=" http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy
http://cxf.apache.org/schemas/policy.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apa
che.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd ">
+ <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <httpj:engine-factory id="aes-tls-settings">
+ <httpj:engine port="${testutil.ports.CipherSuitesServer}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="keys/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:clientAuthentication want="false" required="false"/>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ </sec:cipherSuitesFilter>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services";
+ xmlns:s="http://apache.org/hello_world/services";
+ id="AESTLSServer"
+ implementor="org.apache.cxf.systest.http.GreeterImpl"
+
address="https://localhost:${testutil.ports.CipherSuitesServer}/SoapContext/HttpsPort";
+ serviceName="s:SOAPService"
+ endpointName="e:HttpsPort" depends-on="aes-tls-settings"/>
+
+
+ <httpj:engine-factory id="rc4-tls-settings">
+ <httpj:engine port="${testutil.ports.CipherSuitesServer.2}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="keys/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:clientAuthentication want="false" required="false"/>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_WITH_RC4_.*</sec:include>
+ <sec:exclude>.*_WITH_AES_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services";
+ xmlns:s="http://apache.org/hello_world/services";
+ id="RC4TLSServer"
+ implementor="org.apache.cxf.systest.http.GreeterImpl"
+
address="https://localhost:${testutil.ports.CipherSuitesServer.2}/SoapContext/HttpsPort";
+ serviceName="s:SOAPService"
+ endpointName="e:HttpsPort" depends-on="rc4-tls-settings"/>
+
+ <httpj:engine-factory id="null-tls-settings">
+ <httpj:engine port="${testutil.ports.CipherSuitesServer.3}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="keys/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:clientAuthentication want="false" required="false"/>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ </sec:cipherSuitesFilter>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services";
+ xmlns:s="http://apache.org/hello_world/services";
+ id="NULLTLSServer"
+ implementor="org.apache.cxf.systest.http.GreeterImpl"
+
address="https://localhost:${testutil.ports.CipherSuitesServer.3}/SoapContext/HttpsPort";
+ serviceName="s:SOAPService"
+ endpointName="e:HttpsPort"
depends-on="null-tls-settings"/>
+
+ <httpj:engine-factory id="aes-explicit-tls-settings">
+ <httpj:engine port="${testutil.ports.CipherSuitesServer.4}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="keys/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:clientAuthentication want="false" required="false"/>
+ <sec:cipherSuites>
+
<sec:cipherSuite>TLS_RSA_WITH_AES_256_CBC_SHA</sec:cipherSuite>
+ </sec:cipherSuites>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services";
+ xmlns:s="http://apache.org/hello_world/services";
+ id="AESExplicitTLSServer"
+ implementor="org.apache.cxf.systest.http.GreeterImpl"
+
address="https://localhost:${testutil.ports.CipherSuitesServer.4}/SoapContext/HttpsPort";
+ serviceName="s:SOAPService"
+ endpointName="e:HttpsPort"
depends-on="aes-explicit-tls-settings"/>
+</beans>
