Update Default Cipher List
Motivation: Our default cipher list has not been updated in a while. We current support some older ciphers not commonly in use and we don't support some newer ciphers which are more commonly used. Modifications: - Update the default list of ciphers for JDK and OpenSSL. Result: Default cipher list is more likely to connect to peers. Fixes https://github.com/netty/netty/issues/5859
This commit is contained in:
parent
eb1dfb8f5e
commit
8ba5b5f740
@ -96,6 +96,8 @@ public class JdkSslContext extends SslContext {
|
||||
SUPPORTED_CIPHERS, ciphers,
|
||||
// XXX: Make sure to sync this list with OpenSslEngineFactory.
|
||||
// GCM (Galois/Counter Mode) requires JDK 8.
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
||||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
|
||||
// AES256 requires JCE unlimited strength jurisdiction policy files.
|
||||
@ -104,8 +106,7 @@ public class JdkSslContext extends SslContext {
|
||||
"TLS_RSA_WITH_AES_128_GCM_SHA256",
|
||||
"TLS_RSA_WITH_AES_128_CBC_SHA",
|
||||
// AES256 requires JCE unlimited strength jurisdiction policy files.
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA",
|
||||
"SSL_RSA_WITH_3DES_EDE_CBC_SHA");
|
||||
"TLS_RSA_WITH_AES_256_CBC_SHA");
|
||||
|
||||
if (ciphers.isEmpty()) {
|
||||
// Use the default from JDK as fallback.
|
||||
|
@ -160,13 +160,14 @@ public abstract class ReferenceCountedOpenSslContext extends SslContext implemen
|
||||
// XXX: Make sure to sync this list with JdkSslEngineFactory.
|
||||
Collections.addAll(
|
||||
ciphers,
|
||||
"ECDHE-ECDSA-AES256-GCM-SHA384",
|
||||
"ECDHE-ECDSA-AES128-GCM-SHA256",
|
||||
"ECDHE-RSA-AES128-GCM-SHA256",
|
||||
"ECDHE-RSA-AES128-SHA",
|
||||
"ECDHE-RSA-AES256-SHA",
|
||||
"AES128-GCM-SHA256",
|
||||
"AES128-SHA",
|
||||
"AES256-SHA",
|
||||
"DES-CBC3-SHA");
|
||||
"AES256-SHA");
|
||||
DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
|
||||
|
||||
if (logger.isDebugEnabled()) {
|
||||
|
Loading…
Reference in New Issue
Block a user