diff options
author | Joakim Erdfelt | 2016-01-13 22:00:16 +0000 |
---|---|---|
committer | Joakim Erdfelt | 2016-01-13 22:00:16 +0000 |
commit | 0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb (patch) | |
tree | 88f1a8f78524ae84681b40af611cca1573cccfbe | |
parent | 30308f2316df071be17a957ec3751e040668fe3f (diff) | |
download | org.eclipse.jetty.project-0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb.tar.gz org.eclipse.jetty.project-0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb.tar.xz org.eclipse.jetty.project-0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb.zip |
485714 - Update SSL configuration to mitigate SLOTH vulnerability
4 files changed, 22 insertions, 9 deletions
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java index f353e7f09a..2d23ff564b 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java @@ -27,6 +27,7 @@ import java.net.Socket; import java.nio.charset.StandardCharsets; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLEngine; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -36,6 +37,7 @@ import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.ServerConnector; import org.eclipse.jetty.server.handler.AbstractHandler; import org.eclipse.jetty.toolchain.test.MavenTestingUtils; +import org.eclipse.jetty.util.TypeUtil; import org.eclipse.jetty.util.resource.Resource; import org.eclipse.jetty.util.ssl.SslContextFactory; import org.junit.Test; @@ -58,8 +60,8 @@ public class SSLCloseTest server.addConnector(connector); server.setHandler(new WriteHandler()); server.start(); - - SSLContext ctx=SSLContext.getInstance("SSLv3"); + + SSLContext ctx=SSLContext.getInstance("TLSv1.2"); ctx.init(null,SslContextFactory.TRUST_ALL_CERTS,new java.security.SecureRandom()); int port=connector.getLocalPort(); diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java index 9b76d0e702..a010774b15 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java @@ -189,7 +189,7 @@ public class SSLEngineTest Socket[] client=new Socket[numConns]; - SSLContext ctx=SSLContext.getInstance("SSLv3"); + SSLContext ctx=SSLContext.getInstance("TLSv1.2"); ctx.init(null,SslContextFactory.TRUST_ALL_CERTS,new java.security.SecureRandom()); int port=connector.getLocalPort(); diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java index 5025b2da2c..42f109c7d4 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java @@ -250,14 +250,10 @@ public class SslContextFactory extends AbstractLifeCycle setTrustAll(trustAll); addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); setExcludeCipherSuites( - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", + "^.*_RSA_.*_(MD5|SHA|SHA1)$", "SSL_DHE_DSS_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); -} + } /** * Construct an instance of SslContextFactory diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java index 0ca664436f..a5e65c0251 100644 --- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java +++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java @@ -29,6 +29,7 @@ import static org.junit.Assert.assertTrue; import java.io.IOException; import java.io.InputStream; import java.security.KeyStore; +import java.util.Arrays; import javax.net.ssl.SSLEngine; @@ -57,6 +58,20 @@ public class SslContextFactoryTest } @Test + public void testSLOTH() throws Exception + { + cf.setKeyStorePassword("storepwd"); + cf.setKeyManagerPassword("keypwd"); + + cf.start(); + + System.err.println(Arrays.asList(cf.getSelectedProtocols())); + for (String cipher : cf.getSelectedCipherSuites()) + System.err.println(cipher); + + } + + @Test public void testNoTsFileKs() throws Exception { cf.setKeyStorePassword("storepwd"); |