Remove or de-prioritize RC4 from default cipher suites

Motivation: RC4 is not a recommended cipher suite anymore, as the recent research reveals, such as: - http://www.isg.rhul.ac.uk/tls/ Modifications: - Remove most RC4 cipher suites from the default cipher suites - For backward compatibility, leave RC4-SHA, while de-prioritizing it Result: Potentially safer default
2014-11-25 17:24:30 +09:00 · 2014-11-25 17:24:30 +09:00 · 7d9125ed8f
commit 7d9125ed8f
parent 4772989ddd
2 changed files with 11 additions and 11 deletions
--- a/src/main/java/org/jboss/netty/handler/ssl/JdkSslContext.java
+++ b/src/main/java/org/jboss/netty/handler/ssl/JdkSslContext.java
@ -68,16 +68,18 @@ public abstract class JdkSslContext extends SslContext {
        addIfSupported(
                supportedCiphers, ciphers,
                // XXX: Make sure to sync this list with OpenSslEngineFactory.
-                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // since JDK 8
-                "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+                // GCM (Galois/Counter Mode) requires JDK 8.
+                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+                // AES256 requires JCE unlimited strength jurisdiction policy files.
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-                "TLS_RSA_WITH_AES_128_GCM_SHA256", // since JDK 8
-                "SSL_RSA_WITH_RC4_128_SHA",
-                "SSL_RSA_WITH_RC4_128_MD5",
+                // GCM (Galois/Counter Mode) requires JDK 8.
+                "TLS_RSA_WITH_AES_128_GCM_SHA256",
                "TLS_RSA_WITH_AES_128_CBC_SHA",
+                // AES256 requires JCE unlimited strength jurisdiction policy files.
                "TLS_RSA_WITH_AES_256_CBC_SHA",
-                "SSL_RSA_WITH_DES_CBC_SHA");
+                "SSL_RSA_WITH_DES_CBC_SHA",
+                "SSL_RSA_WITH_RC4_128_SHA");

        if (!ciphers.isEmpty()) {
            DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
@ -87,7 +89,7 @@ public abstract class JdkSslContext extends SslContext {
        }

        if (logger.isDebugEnabled()) {
-            logger.debug("Default protocols (JDK): " + PROTOCOLS);
+            logger.debug("Default protocols (JDK): " + Arrays.asList(PROTOCOLS));
            logger.debug("Default cipher suites (JDK): " + DEFAULT_CIPHERS);
        }
    }
--- a/src/main/java/org/jboss/netty/handler/ssl/OpenSslServerContext.java
+++ b/src/main/java/org/jboss/netty/handler/ssl/OpenSslServerContext.java
@ -42,15 +42,13 @@ public final class OpenSslServerContext extends SslContext {
        Collections.addAll(
                ciphers,
                "ECDHE-RSA-AES128-GCM-SHA256",
-                "ECDHE-RSA-RC4-SHA",
                "ECDHE-RSA-AES128-SHA",
                "ECDHE-RSA-AES256-SHA",
                "AES128-GCM-SHA256",
-                "RC4-SHA",
-                "RC4-MD5",
                "AES128-SHA",
                "AES256-SHA",
-                "DES-CBC3-SHA");
+                "DES-CBC3-SHA",
+                "RC4-SHA");
        DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);

        if (logger.isDebugEnabled()) {