svn commit: r1706853 - in /tomcat/trunk: java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java

Mon, 05 Oct 2015 08:32:11 -0700 

Author: markt
Date: Mon Oct  5 15:29:39 2015
New Revision: 1706853

URL: http://svn.apache.org/viewvc?rev=1706853&view=rev
Log:
OpenSSL now excludes DES, RC2 and RC4 from DEFAULT

Modified:
    
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
    
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java

Modified: 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java?rev=1706853&r1=1706852&r2=1706853&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
 (original)
+++ 
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
 Mon Oct  5 15:29:39 2015
@@ -485,13 +485,16 @@ public class OpenSSLCipherConfigurationP
         addListAlias(SRP, filterByKeyExchange(allCiphers, 
Collections.singleton(KeyExchange.SRP)));
         initialized = true;
         // Despite what the OpenSSL docs say, DEFAULT also excludes SSLv2
-        addListAlias(DEFAULT, parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2"));
+        addListAlias(DEFAULT, 
parse("ALL:!EXPORT:!eNULL:!aNULL:!SSLv2:!DES:!RC2:!RC4"));
         // COMPLEMENTOFDEFAULT is also not exactly as defined by the docs
         Set<Cipher> complementOfDefault = filterByKeyExchange(all, new 
HashSet<>(Arrays.asList(KeyExchange.EDH,KeyExchange.EECDH)));
         complementOfDefault = filterByAuthentication(complementOfDefault, 
Collections.singleton(Authentication.aNULL));
         complementOfDefault.removeAll(aliases.get(eNULL));
         complementOfDefault.addAll(aliases.get(Constants.SSL_PROTO_SSLv2));
         complementOfDefault.addAll(aliases.get(EXPORT));
+        complementOfDefault.addAll(aliases.get(DES));
+        complementOfDefault.addAll(aliases.get(RC2));
+        complementOfDefault.addAll(aliases.get(RC4));
         addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
     }
 

Modified: 
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java?rev=1706853&r1=1706852&r2=1706853&view=diff
==============================================================================
--- 
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
 (original)
+++ 
tomcat/trunk/test/org/apache/tomcat/util/net/jsse/openssl/TestOpenSSLCipherConfigurationParser.java
 Mon Oct  5 15:29:39 2015
@@ -28,10 +28,13 @@ public class TestOpenSSLCipherConfigurat
     public void testDEFAULT() throws Exception {
         // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old
         // behaviour
+        // DES, RC2 and RC4 were removed from default in 1.1.0-dev
         if (TesterOpenSSL.VERSION < 10000) {
             // OpenSSL 0.9.8 excludes EC ciphers unless explicitly enabled
             // (using aRSA:!SSLv2:!eNULL as an EC alias isn't available)
-            testSpecification("DEFAULT:!EXPORT:aRSA:!SSLv2:!eNULL");
+            
testSpecification("DEFAULT:!EXPORT:aRSA:!SSLv2:!eNULL:!DES:!RC2:!RC4");
+        } else if (TesterOpenSSL.VERSION < 10100) {
+            testSpecification("DEFAULT:!EXPORT:!DES:!RC2:!RC4");
         } else {
             testSpecification("DEFAULT:!EXPORT");
         }
@@ -42,9 +45,12 @@ public class TestOpenSSLCipherConfigurat
     public void testCOMPLEMENTOFDEFAULT() throws Exception {
         // EXPORT was removed from DEFAULT in 1.1.0 but we prefer the old
         // behaviour
+        // DES, RC2 and RC4 were removed from default in 1.1.0-dev
         if (TesterOpenSSL.VERSION < 10000) {
             // OpenSSL 0.9.8 excludes aNULL unless explicitly enabled
-            testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL");
+            testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL:DES:RC2:RC4");
+        } else if (TesterOpenSSL.VERSION < 10100) {
+            testSpecification("COMPLEMENTOFDEFAULT:EXPORT:aNULL:DES:RC2:RC4");
         } else {
             testSpecification("COMPLEMENTOFDEFAULT:EXPORT");
         }



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to