Remove or de-prioritize RC4 from default cipher suites

Motivation: RC4 is not a recommended cipher suite anymore, as the recent research reveals, such as: - http://www.isg.rhul.ac.uk/tls/ Modifications: - Remove most RC4 cipher suites from the default cipher suites - For backward compatibility, leave RC4-SHA, while de-prioritizing it Result: Potentially safer default
2014-11-25 17:13:05 +09:00 · 2014-11-25 17:13:05 +09:00 · 3fe5ba1dd4
commit 3fe5ba1dd4
parent 37e1788a7c
2 changed files with 4 additions and 8 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
@ -115,18 +115,16 @@ public abstract class JdkSslContext extends SslContext {
                // XXX: Make sure to sync this list with OpenSslEngineFactory.
                // GCM (Galois/Counter Mode) requires JDK 8.
                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-                "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                // AES256 requires JCE unlimited strength jurisdiction policy files.
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                // GCM (Galois/Counter Mode) requires JDK 8.
                "TLS_RSA_WITH_AES_128_GCM_SHA256",
-                "SSL_RSA_WITH_RC4_128_SHA",
-                "SSL_RSA_WITH_RC4_128_MD5",
                "TLS_RSA_WITH_AES_128_CBC_SHA",
                // AES256 requires JCE unlimited strength jurisdiction policy files.
                "TLS_RSA_WITH_AES_256_CBC_SHA",
-                "SSL_RSA_WITH_DES_CBC_SHA");
+                "SSL_RSA_WITH_DES_CBC_SHA",
+                "SSL_RSA_WITH_RC4_128_SHA");

        if (!ciphers.isEmpty()) {
            DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
@ -45,15 +45,13 @@ public final class OpenSslServerContext extends SslContext {
        Collections.addAll(
                ciphers,
                "ECDHE-RSA-AES128-GCM-SHA256",
-                "ECDHE-RSA-RC4-SHA",
                "ECDHE-RSA-AES128-SHA",
                "ECDHE-RSA-AES256-SHA",
                "AES128-GCM-SHA256",
-                "RC4-SHA",
-                "RC4-MD5",
                "AES128-SHA",
                "AES256-SHA",
-                "DES-CBC3-SHA");
+                "DES-CBC3-SHA",
+                "RC4-SHA");
        DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);

        if (logger.isDebugEnabled()) {