From c3ab557f852fab44eb25c1e180f5183a2c938091 Mon Sep 17 00:00:00 2001
From: Norman Maurer <norman_maurer@apple.com>
Date: Thu, 16 Jul 2015 21:29:04 +0200
Subject: [PATCH] [#3987] Remove RC4 from default ciphers.

Motivation:

Remove RC4 from default ciphers as it is not known as secure anymore.

Modifications:

Remove RC4

Result:

Not use an insecure cipher as default.
---
 .../java/io/netty/handler/ssl/JdkSslContext.java  | 15 +++++++++------
 .../java/io/netty/handler/ssl/OpenSslContext.java |  3 +--
 .../transport/socket/SocketSslEchoTest.java       |  2 +-
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
index 54ee2befbf..9a39d23b74 100644
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
@@ -107,15 +107,18 @@ public abstract class JdkSslContext extends SslContext {
                 "TLS_RSA_WITH_AES_128_CBC_SHA",
                 // AES256 requires JCE unlimited strength jurisdiction policy files.
                 "TLS_RSA_WITH_AES_256_CBC_SHA",
-                "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-                "SSL_RSA_WITH_RC4_128_SHA");
+                "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
 
-        if (!ciphers.isEmpty()) {
-            DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
-        } else {
+        if (ciphers.isEmpty()) {
             // Use the default from JDK as fallback.
-            DEFAULT_CIPHERS = Collections.unmodifiableList(Arrays.asList(engine.getEnabledCipherSuites()));
+            for (String cipher : engine.getEnabledCipherSuites()) {
+                if (cipher.contains("_RC4_")) {
+                    continue;
+                }
+                ciphers.add(cipher);
+            }
         }
+        DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
 
         if (logger.isDebugEnabled()) {
             logger.debug("Default protocols (JDK): {} ", Arrays.asList(PROTOCOLS));
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
index e3136c83e6..a820b94ef3 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java
@@ -107,8 +107,7 @@ public abstract class OpenSslContext extends SslContext {
                 "AES128-GCM-SHA256",
                 "AES128-SHA",
                 "AES256-SHA",
-                "DES-CBC3-SHA",
-                "RC4-SHA");
+                "DES-CBC3-SHA");
         DEFAULT_CIPHERS = Collections.unmodifiableList(ciphers);
 
         if (logger.isDebugEnabled()) {
diff --git a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslEchoTest.java b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslEchoTest.java
index 4bd8f3c0fc..2fc57cfb1c 100644
--- a/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslEchoTest.java
+++ b/testsuite/src/main/java/io/netty/testsuite/transport/socket/SocketSslEchoTest.java
@@ -152,7 +152,7 @@ public class SocketSslEchoTest extends AbstractSocketTest {
                     if (rt == RenegotiationType.NONE) {
                         r = Renegotiation.NONE;
                     } else {
-                        r = new Renegotiation(rt, "SSL_RSA_WITH_RC4_128_SHA");
+                        r = new Renegotiation(rt, "SSL_RSA_WITH_3DES_EDE_CBC_SHA");
                     }
 
                     for (int i = 0; i < 32; i++) {