diff options
-rw-r--r-- | jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java | 45 | ||||
-rw-r--r-- | jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java | 37 |
2 files changed, 68 insertions, 14 deletions
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java index 857d199a81..0168c91a58 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java @@ -41,6 +41,9 @@ import java.util.Collections; import java.util.LinkedHashSet; import java.util.List; import java.util.Set; +import java.util.concurrent.CopyOnWriteArraySet; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; @@ -369,6 +372,7 @@ public class SslContextFactory extends AbstractLifeCycle } /** + * You can either use the exact cipher suite name or a a regular expression. * @param cipherSuites * The array of cipher suite names to exclude from * {@link SSLEngine#setEnabledCipherSuites(String[])} @@ -399,6 +403,7 @@ public class SslContextFactory extends AbstractLifeCycle } /** + * You can either use the exact cipher suite name or a a regular expression. * @param cipherSuites * The array of cipher suite names to include in * {@link SSLEngine#setEnabledCipherSuites(String[])} @@ -1035,25 +1040,47 @@ public class SslContextFactory extends AbstractLifeCycle */ public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) { - Set<String> selected_ciphers = new LinkedHashSet<>(); + Set<String> selected_ciphers = new CopyOnWriteArraySet<>(); // Set the starting ciphers - either from the included or enabled list if (_includeCipherSuites!=null) - { - // Use only the supported included ciphers - for (String cipherSuite : _includeCipherSuites) - if(Arrays.asList(supportedCipherSuites).contains(cipherSuite)) - selected_ciphers.add(cipherSuite); - } + processIncludeCipherSuites(supportedCipherSuites, selected_ciphers); else selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); + removeExcludedCipherSuites(selected_ciphers); - // Remove any excluded ciphers - selected_ciphers.removeAll(_excludeCipherSuites); return selected_ciphers.toArray(new String[selected_ciphers.size()]); } + private void processIncludeCipherSuites(String[] supportedCipherSuites, Set<String> selected_ciphers) + { + for (String cipherSuite : _includeCipherSuites) + { + Pattern p = Pattern.compile(cipherSuite); + for (String supportedCipherSuite : supportedCipherSuites) + { + Matcher m = p.matcher(supportedCipherSuite); + if (m.matches()) + selected_ciphers.add(supportedCipherSuite); + } + } + } + + private void removeExcludedCipherSuites(Set<String> selected_ciphers) + { + for (String excludeCipherSuite : _excludeCipherSuites) + { + Pattern excludeCipherPattern = Pattern.compile(excludeCipherSuite); + for (String selectedCipherSuite : selected_ciphers) + { + Matcher m = excludeCipherPattern.matcher(selectedCipherSuite); + if (m.matches()) + selected_ciphers.remove(selectedCipherSuite); + } + } + } + /** * Check if the lifecycle has been started and throw runtime exception */ diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java index 6122dfd024..980640c108 100644 --- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java +++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java @@ -18,15 +18,12 @@ package org.eclipse.jetty.util.ssl; -import static org.hamcrest.Matchers.equalTo; -import static org.hamcrest.Matchers.is; -import static org.junit.Assert.assertThat; -import static org.junit.Assert.assertTrue; - import java.io.IOException; import java.io.InputStream; import java.security.KeyStore; +import javax.net.ssl.SSLEngine; + import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.StdErrLog; @@ -35,6 +32,12 @@ import org.junit.Assert; import org.junit.Before; import org.junit.Test; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.greaterThan; +import static org.hamcrest.Matchers.is; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; + public class SslContextFactoryTest { @@ -190,6 +193,30 @@ public class SslContextFactoryTest } @Test + public void testSetExcludeCipherSuitesRegex() throws Exception + { + cf.setExcludeCipherSuites(".*RC4.*"); + cf.start(); + SSLEngine sslEngine = cf.newSSLEngine(); + String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites(); + assertThat("At least 1 cipherSuite is enabled", enabledCipherSuites.length, greaterThan(0)); + for (String enabledCipherSuite : enabledCipherSuites) + assertThat("CipherSuite does not contain RC4", enabledCipherSuite.contains("RC4"), is(false)); + } + + @Test + public void testSetIncludeCipherSuitesRegex() throws Exception + { + cf.setIncludeCipherSuites(".*RC4.*"); + cf.start(); + SSLEngine sslEngine = cf.newSSLEngine(); + String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites(); + assertThat("At least 1 cipherSuite is enabled", enabledCipherSuites.length, greaterThan(0)); + for (String enabledCipherSuite : enabledCipherSuites) + assertThat("CipherSuite contains RC4", enabledCipherSuite.contains("RC4"), is(true)); + } + + @Test public void testSetIncludeCipherSuitesPreservesOrder() { String[] supportedCipherSuites = new String[]{"cipher4", "cipher2", "cipher1", "cipher3"}; |