Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoakim Erdfelt2016-01-13 17:00:16 -0500
committerJoakim Erdfelt2016-01-13 17:00:16 -0500
commit0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb (patch)
tree88f1a8f78524ae84681b40af611cca1573cccfbe
parent30308f2316df071be17a957ec3751e040668fe3f (diff)
downloadorg.eclipse.jetty.project-0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb.tar.gz
org.eclipse.jetty.project-0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb.tar.xz
org.eclipse.jetty.project-0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb.zip
485714 - Update SSL configuration to mitigate SLOTH vulnerability
-rw-r--r--jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java6
-rw-r--r--jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java2
-rw-r--r--jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java8
-rw-r--r--jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java15
4 files changed, 22 insertions, 9 deletions
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java
index f353e7f09a..2d23ff564b 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java
@@ -27,6 +27,7 @@ import java.net.Socket;
import java.nio.charset.StandardCharsets;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -36,6 +37,7 @@ import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.handler.AbstractHandler;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.Test;
@@ -58,8 +60,8 @@ public class SSLCloseTest
server.addConnector(connector);
server.setHandler(new WriteHandler());
server.start();
-
- SSLContext ctx=SSLContext.getInstance("SSLv3");
+
+ SSLContext ctx=SSLContext.getInstance("TLSv1.2");
ctx.init(null,SslContextFactory.TRUST_ALL_CERTS,new java.security.SecureRandom());
int port=connector.getLocalPort();
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
index 9b76d0e702..a010774b15 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
@@ -189,7 +189,7 @@ public class SSLEngineTest
Socket[] client=new Socket[numConns];
- SSLContext ctx=SSLContext.getInstance("SSLv3");
+ SSLContext ctx=SSLContext.getInstance("TLSv1.2");
ctx.init(null,SslContextFactory.TRUST_ALL_CERTS,new java.security.SecureRandom());
int port=connector.getLocalPort();
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index 5025b2da2c..42f109c7d4 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -250,14 +250,10 @@ public class SslContextFactory extends AbstractLifeCycle
setTrustAll(trustAll);
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
setExcludeCipherSuites(
- "SSL_RSA_WITH_DES_CBC_SHA",
- "SSL_DHE_RSA_WITH_DES_CBC_SHA",
+ "^.*_RSA_.*_(MD5|SHA|SHA1)$",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
- "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
- "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
- "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
-}
+ }
/**
* Construct an instance of SslContextFactory
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
index 0ca664436f..a5e65c0251 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
@@ -29,6 +29,7 @@ import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
+import java.util.Arrays;
import javax.net.ssl.SSLEngine;
@@ -57,6 +58,20 @@ public class SslContextFactoryTest
}
@Test
+ public void testSLOTH() throws Exception
+ {
+ cf.setKeyStorePassword("storepwd");
+ cf.setKeyManagerPassword("keypwd");
+
+ cf.start();
+
+ System.err.println(Arrays.asList(cf.getSelectedProtocols()));
+ for (String cipher : cf.getSelectedCipherSuites())
+ System.err.println(cipher);
+
+ }
+
+ @Test
public void testNoTsFileKs() throws Exception
{
cf.setKeyStorePassword("storepwd");

Back to the top