From d6c3b3063fc367791dbddb76220110d864e5c5f8 Mon Sep 17 00:00:00 2001 From: Graham Edgecombe Date: Wed, 26 Nov 2014 19:05:17 +0000 Subject: [PATCH] Use Triple DES in JdkSslContext cipher suite list. Motivation: JdkSslContext used SSL_RSA_WITH_DES_CBC_SHA in its cipher suite list. OpenSslServerContext used DES-CBC3-SHA in the same place in its cipher suite list, which is equivalent to SSL_RSA_WITH_3DES_EDE_CBC_SHA. This means the lists were out of sync. Furthermore, using SSL_RSA_WITH_DES_CBC_SHA is not desirable as it uses DES, a weak cipher. Triple DES should be used instead. Modifications: Replace SSL_RSA_WITH_DES_CBC_SHA with SSL_RSA_WITH_3DES_EDE_CBC_SHA in JdkSslContext. Result: The JdkSslContext and OpenSslServerContext cipher suite lists are now in sync. Triple DES is used instead of DES, which is stronger. --- handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java index ec728087d0..036052bc98 100644 --- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java +++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java @@ -123,7 +123,7 @@ public abstract class JdkSslContext extends SslContext { "TLS_RSA_WITH_AES_128_CBC_SHA", // AES256 requires JCE unlimited strength jurisdiction policy files. "TLS_RSA_WITH_AES_256_CBC_SHA", - "SSL_RSA_WITH_DES_CBC_SHA", + "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_RSA_WITH_RC4_128_SHA"); if (!ciphers.isEmpty()) {