From 3fe5ba1dd4aaec1cac9609d25316a21986145017 Mon Sep 17 00:00:00 2001
From: Trustin Lee <t@motd.kr>
Date: Tue, 25 Nov 2014 17:13:05 +0900
Subject: [PATCH] Remove or de-prioritize RC4 from default cipher suites

Motivation:

RC4 is not a recommended cipher suite anymore, as the recent research
reveals, such as:

- http://www.isg.rhul.ac.uk/tls/

Modifications:

- Remove most RC4 cipher suites from the default cipher suites
- For backward compatibility, leave RC4-SHA, while de-prioritizing it

Result:

Potentially safer default
---
 .../src/main/java/io/netty/handler/ssl/JdkSslContext.java   | 6 ++----
 .../java/io/netty/handler/ssl/OpenSslServerContext.java     | 6 ++----
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
index 9af91b3b57..ec728087d0 100644
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
@@ -115,18 +115,16 @@ public abstract class JdkSslContext extends SslContext {
                 // XXX: Make sure to sync this list with OpenSslEngineFactory.
                 // GCM (Galois/Counter Mode) requires JDK 8.
                 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
                 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                 // AES256 requires JCE unlimited strength jurisdiction policy files.
                 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                 // GCM (Galois/Counter Mode) requires JDK 8.
                 "TLS_RSA_WITH_AES_128_GCM_SHA256",
-                "SSL_RSA_WITH_RC4_128_SHA",
-                "SSL_RSA_WITH_RC4_128_MD5",
                 "TLS_RSA_WITH_AES_128_CBC_SHA",
                 // AES256 requires JCE unlimited strength jurisdiction policy files.
                 "TLS_RSA_WITH_AES_256_CBC_SHA",
-                "SSL_RSA_WITH_DES_CBC_SHA");
+                "SSL_RSA_WITH_DES_CBC_SHA",
+                "SSL_RSA_WITH_RC4_128_SHA");
 
         if (!ciphers.isEmpty()) {
             DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
index af74a25248..7631fc8bb6 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
@@ -45,15 +45,13 @@ public final class OpenSslServerContext extends SslContext {
         Collections.addAll(
                 ciphers,
                 "ECDHE-RSA-AES128-GCM-SHA256",
-                "ECDHE-RSA-RC4-SHA",
                 "ECDHE-RSA-AES128-SHA",
                 "ECDHE-RSA-AES256-SHA",
                 "AES128-GCM-SHA256",
-                "RC4-SHA",
-                "RC4-MD5",
                 "AES128-SHA",
                 "AES256-SHA",
-                "DES-CBC3-SHA");
+                "DES-CBC3-SHA",
+                "RC4-SHA");
         DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
 
         if (logger.isDebugEnabled()) {