diff options
author | Daniel Gultsch <daniel@gultsch.de> | 2015-03-08 11:28:39 +0100 |
---|---|---|
committer | Daniel Gultsch <daniel@gultsch.de> | 2015-03-08 11:28:39 +0100 |
commit | 1a5321e41f8ff18356d27a54078a6d742826473f (patch) | |
tree | 401abe92b5f6fc52accfc6b975474b6ee4a7e0b1 | |
parent | 87a048fe6f88739a381cecab973e1af12325ce16 (diff) | |
parent | 67f8ed44bd7241556a7cb1eb2aee2dda4cbbbf4e (diff) |
Merge pull request #1022 from Boris-de/cipher_blacklist
disable all really weak cipher suites
-rw-r--r-- | src/main/java/eu/siacs/conversations/Config.java | 9 | ||||
-rw-r--r-- | src/main/java/eu/siacs/conversations/utils/CryptoHelper.java | 16 |
2 files changed, 25 insertions, 0 deletions
diff --git a/src/main/java/eu/siacs/conversations/Config.java b/src/main/java/eu/siacs/conversations/Config.java index 2b9cee9f..f38bcbfc 100644 --- a/src/main/java/eu/siacs/conversations/Config.java +++ b/src/main/java/eu/siacs/conversations/Config.java @@ -64,6 +64,15 @@ public final class Config { "TLS_RSA_WITH_AES_256_CBC_SHA", }; + public static final String WEAK_CIPHER_PATTERNS[] = { + "_NULL_", + "_EXPORT_", + "_anon_", + "_RC4_", + "_DES_", + "_MD5", + }; + private Config() { } diff --git a/src/main/java/eu/siacs/conversations/utils/CryptoHelper.java b/src/main/java/eu/siacs/conversations/utils/CryptoHelper.java index 31fe2c11..eb7e2c3c 100644 --- a/src/main/java/eu/siacs/conversations/utils/CryptoHelper.java +++ b/src/main/java/eu/siacs/conversations/utils/CryptoHelper.java @@ -4,6 +4,7 @@ import java.security.SecureRandom; import java.text.Normalizer; import java.util.Arrays; import java.util.Collection; +import java.util.Iterator; import java.util.LinkedHashSet; import java.util.List; @@ -103,6 +104,21 @@ public final class CryptoHelper { final List<String> platformCiphers = Arrays.asList(platformSupportedCipherSuites); cipherSuites.retainAll(platformCiphers); cipherSuites.addAll(platformCiphers); + filterWeakCipherSuites(cipherSuites); return cipherSuites.toArray(new String[cipherSuites.size()]); } + + private static void filterWeakCipherSuites(final Collection<String> cipherSuites) { + final Iterator<String> it = cipherSuites.iterator(); + while (it.hasNext()) { + String cipherName = it.next(); + // remove all ciphers with no or very weak encryption or no authentication + for (String weakCipherPattern : Config.WEAK_CIPHER_PATTERNS) { + if (cipherName.contains(weakCipherPattern)) { + it.remove(); + break; + } + } + } + } } |