disable all really weak cipher suites

With #959 all ciphers of the platform were enabled, but this also includes several suites that are considered as very weak, even down to NULL- and anon-ciphers which disable completely disable encryption and/or authentication. Especially the anon-ciphers could be easily used for a mitm-attack. To remove all weak ciphers a blacklist with patterns of cipher-names was added to Config.java. The blacklist is based on the "mandatory discards" that Mozilla suggests to not use for TLS-servers because they are weak or known to be broken. https://wiki.mozilla.org/Security/Server_Side_TLS#Mandatory_discards
author: Boris Wachtmeister <boris-code@gmx.com> 2015-03-07 15:36:31 +0100
committer: Boris Wachtmeister <boris-code@gmx.com> 2015-03-07 15:48:29 +0100
commit: 67f8ed44bd7241556a7cb1eb2aee2dda4cbbbf4e (patch)
tree: 6cf5c5c72c7fb8ae4c892572f6bd9f8c4f141062 /src/main/java/eu/siacs/conversations/Config.java
parent: cbca92d2099a9b3096b7ed6fbe0e5e8758f746fc (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/main/java/eu/siacs/conversations/Config.java b/src/main/java/eu/siacs/conversations/Config.java
index 2b9cee9f..f38bcbfc 100644
--- a/src/main/java/eu/siacs/conversations/Config.java
+++ b/src/main/java/eu/siacs/conversations/Config.java
@@ -64,6 +64,15 @@ public final class Config {
 		"TLS_RSA_WITH_AES_256_CBC_SHA",
 	};
 
+	public static final String WEAK_CIPHER_PATTERNS[] = {
+		"_NULL_",
+		"_EXPORT_",
+		"_anon_",
+		"_RC4_",
+		"_DES_",
+		"_MD5",
+	};
+
 	private Config() {
 
 	}
author	Boris Wachtmeister <boris-code@gmx.com>	2015-03-07 15:36:31 +0100
committer	Boris Wachtmeister <boris-code@gmx.com>	2015-03-07 15:48:29 +0100
commit	67f8ed44bd7241556a7cb1eb2aee2dda4cbbbf4e (patch)
tree	6cf5c5c72c7fb8ae4c892572f6bd9f8c4f141062 /src/main/java/eu/siacs/conversations/Config.java
parent	cbca92d2099a9b3096b7ed6fbe0e5e8758f746fc (diff)