Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java45
-rw-r--r--jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java37
2 files changed, 68 insertions, 14 deletions
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index 857d199a81..0168c91a58 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -41,6 +41,9 @@ import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
+import java.util.concurrent.CopyOnWriteArraySet;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
@@ -369,6 +372,7 @@ public class SslContextFactory extends AbstractLifeCycle
}
/**
+ * You can either use the exact cipher suite name or a a regular expression.
* @param cipherSuites
* The array of cipher suite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])}
@@ -399,6 +403,7 @@ public class SslContextFactory extends AbstractLifeCycle
}
/**
+ * You can either use the exact cipher suite name or a a regular expression.
* @param cipherSuites
* The array of cipher suite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])}
@@ -1035,25 +1040,47 @@ public class SslContextFactory extends AbstractLifeCycle
*/
public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
{
- Set<String> selected_ciphers = new LinkedHashSet<>();
+ Set<String> selected_ciphers = new CopyOnWriteArraySet<>();
// Set the starting ciphers - either from the included or enabled list
if (_includeCipherSuites!=null)
- {
- // Use only the supported included ciphers
- for (String cipherSuite : _includeCipherSuites)
- if(Arrays.asList(supportedCipherSuites).contains(cipherSuite))
- selected_ciphers.add(cipherSuite);
- }
+ processIncludeCipherSuites(supportedCipherSuites, selected_ciphers);
else
selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
+ removeExcludedCipherSuites(selected_ciphers);
- // Remove any excluded ciphers
- selected_ciphers.removeAll(_excludeCipherSuites);
return selected_ciphers.toArray(new String[selected_ciphers.size()]);
}
+ private void processIncludeCipherSuites(String[] supportedCipherSuites, Set<String> selected_ciphers)
+ {
+ for (String cipherSuite : _includeCipherSuites)
+ {
+ Pattern p = Pattern.compile(cipherSuite);
+ for (String supportedCipherSuite : supportedCipherSuites)
+ {
+ Matcher m = p.matcher(supportedCipherSuite);
+ if (m.matches())
+ selected_ciphers.add(supportedCipherSuite);
+ }
+ }
+ }
+
+ private void removeExcludedCipherSuites(Set<String> selected_ciphers)
+ {
+ for (String excludeCipherSuite : _excludeCipherSuites)
+ {
+ Pattern excludeCipherPattern = Pattern.compile(excludeCipherSuite);
+ for (String selectedCipherSuite : selected_ciphers)
+ {
+ Matcher m = excludeCipherPattern.matcher(selectedCipherSuite);
+ if (m.matches())
+ selected_ciphers.remove(selectedCipherSuite);
+ }
+ }
+ }
+
/**
* Check if the lifecycle has been started and throw runtime exception
*/
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
index 6122dfd024..980640c108 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
@@ -18,15 +18,12 @@
package org.eclipse.jetty.util.ssl;
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertTrue;
-
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
+import javax.net.ssl.SSLEngine;
+
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.StdErrLog;
@@ -35,6 +32,12 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
public class SslContextFactoryTest
{
@@ -190,6 +193,30 @@ public class SslContextFactoryTest
}
@Test
+ public void testSetExcludeCipherSuitesRegex() throws Exception
+ {
+ cf.setExcludeCipherSuites(".*RC4.*");
+ cf.start();
+ SSLEngine sslEngine = cf.newSSLEngine();
+ String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites();
+ assertThat("At least 1 cipherSuite is enabled", enabledCipherSuites.length, greaterThan(0));
+ for (String enabledCipherSuite : enabledCipherSuites)
+ assertThat("CipherSuite does not contain RC4", enabledCipherSuite.contains("RC4"), is(false));
+ }
+
+ @Test
+ public void testSetIncludeCipherSuitesRegex() throws Exception
+ {
+ cf.setIncludeCipherSuites(".*RC4.*");
+ cf.start();
+ SSLEngine sslEngine = cf.newSSLEngine();
+ String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites();
+ assertThat("At least 1 cipherSuite is enabled", enabledCipherSuites.length, greaterThan(0));
+ for (String enabledCipherSuite : enabledCipherSuites)
+ assertThat("CipherSuite contains RC4", enabledCipherSuite.contains("RC4"), is(true));
+ }
+
+ @Test
public void testSetIncludeCipherSuitesPreservesOrder()
{
String[] supportedCipherSuites = new String[]{"cipher4", "cipher2", "cipher1", "cipher3"};

Back to the top