jbossweb-commits May 2014

jbossweb-commits@lists.jboss.org

1 participants
25 discussions

JBossWeb SVN: r2414 - in branches/7.4.x/src/main/java/org: apache/tomcat/websocket/pojo and 2 other directories.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-05-23 07:29:12 -0400 (Fri, 23 May 2014) New Revision: 2414 Added: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelGroupUtil.java Modified: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java branches/7.4.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java branches/7.4.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsContextListener.java branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsServerContainer.java branches/7.4.x/src/main/java/org/jboss/web/WebsocketsLogger.java branches/7.4.x/src/main/java/org/jboss/web/WebsocketsMessages.java Log: Sync with Tomcat's websockets update: improve executor handling. Added: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelGroupUtil.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelGroupUtil.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelGroupUtil.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -0,0 +1,115 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.websocket; + +import static org.jboss.web.WebsocketsMessages.MESSAGES; + +import java.io.IOException; +import java.nio.channels.AsynchronousChannelGroup; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.SynchronousQueue; +import java.util.concurrent.ThreadFactory; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.atomic.AtomicInteger; + +import org.apache.tomcat.util.threads.ThreadPoolExecutor; + +/** + * This is a utility class that enables multiple {@link WsWebSocketContainer} + * instances to share a single {@link AsynchronousChannelGroup} while ensuring + * that the group is destroyed when no longer required. + */ +public class AsyncChannelGroupUtil { + + private static AsynchronousChannelGroup group = null; + private static int usageCount = 0; + private static final Object lock = new Object(); + + + private AsyncChannelGroupUtil() { + // Hide the default constructor + } + + + public static AsynchronousChannelGroup register() { + synchronized (lock) { + if (usageCount == 0) { + group = createAsynchronousChannelGroup(); + } + usageCount++; + return group; + } + } + + + public static void unregister() { + synchronized (lock) { + usageCount--; + if (usageCount == 0) { + group.shutdown(); + group = null; + } + } + } + + + private static AsynchronousChannelGroup createAsynchronousChannelGroup() { + // Need to do this with the right thread context class loader else the + // first web app to call this will trigger a leak + ClassLoader original = Thread.currentThread().getContextClassLoader(); + + try { + Thread.currentThread().setContextClassLoader( + AsyncIOThreadFactory.class.getClassLoader()); + + // These are the same settings as the default + // AsynchronousChannelGroup + int initialSize = Runtime.getRuntime().availableProcessors(); + ExecutorService executorService = new ThreadPoolExecutor( + 0, + Integer.MAX_VALUE, + Long.MAX_VALUE, TimeUnit.MILLISECONDS, + new SynchronousQueue<Runnable>(), + new AsyncIOThreadFactory()); + + try { + return AsynchronousChannelGroup.withCachedThreadPool( + executorService, initialSize); + } catch (IOException e) { + // No good reason for this to happen. + throw MESSAGES.asyncGroupFail(); + } + } finally { + Thread.currentThread().setContextClassLoader(original); + } + } + + + private static class AsyncIOThreadFactory implements ThreadFactory { + + private AtomicInteger count = new AtomicInteger(0); + + @Override + public Thread newThread(Runnable r) { + Thread t = new Thread(r); + t.setName("WebSocketClient-AsyncIO-" + count.incrementAndGet()); + t.setContextClassLoader(this.getClass().getClassLoader()); + t.setDaemon(true); + return t; + } + } +} Modified: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -28,9 +28,11 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.concurrent.Future; +import java.util.concurrent.ThreadFactory; import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeoutException; import java.util.concurrent.atomic.AtomicBoolean; +import java.util.concurrent.atomic.AtomicInteger; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; @@ -52,7 +54,8 @@ private final ByteBuffer socketReadBuffer; private final ByteBuffer socketWriteBuffer; // One thread for read, one for write - private final ExecutorService executor = Executors.newFixedThreadPool(2); + private final ExecutorService executor = + Executors.newFixedThreadPool(2, new SecureIOThreadFactory()); private AtomicBoolean writing = new AtomicBoolean(false); private AtomicBoolean reading = new AtomicBoolean(false); @@ -139,6 +142,7 @@ } catch (IOException e) { WebsocketsLogger.ROOT_LOGGER.errorClose(); } + executor.shutdownNow(); } @Override @@ -538,4 +542,19 @@ return new Integer(result.intValue()); } } + + + private static class SecureIOThreadFactory implements ThreadFactory { + + private AtomicInteger count = new AtomicInteger(0); + + @Override + public Thread newThread(Runnable r) { + Thread t = new Thread(r); + t.setName("WebSocketClient-SecureIO-" + count.incrementAndGet()); + t.setContextClassLoader(this.getClass().getClassLoader()); + t.setDaemon(true); + return t; + } + } } Modified: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/apache/tomcat/websocket/WsWebSocketContainer.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -44,13 +44,9 @@ import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutionException; -import java.util.concurrent.ExecutorService; import java.util.concurrent.Future; -import java.util.concurrent.SynchronousQueue; -import java.util.concurrent.ThreadFactory; import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeoutException; -import java.util.concurrent.atomic.AtomicInteger; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; @@ -68,7 +64,6 @@ import javax.websocket.WebSocketContainer; import org.apache.tomcat.util.codec.binary.Base64; -import org.apache.tomcat.util.threads.ThreadPoolExecutor; import org.apache.tomcat.websocket.pojo.PojoEndpointClient; import org.jboss.web.WebsocketsLogger; @@ -107,43 +102,10 @@ private static final Random random = new Random(); private static final byte[] crlf = new byte[] {13, 10}; - private static final AsynchronousChannelGroup asynchronousChannelGroup; - static { - AsynchronousChannelGroup result = null; + private volatile AsynchronousChannelGroup asynchronousChannelGroup = null; + private final Object asynchronousChannelGroupLock = new Object(); - // Need to do this with the right thread context class loader else the - // first web app to call this will trigger a leak - ClassLoader original = Thread.currentThread().getContextClassLoader(); - - try { - Thread.currentThread().setContextClassLoader( - AsyncIOThreadFactory.class.getClassLoader()); - - // These are the same settings as the default - // AsynchronousChannelGroup - int initialSize = Runtime.getRuntime().availableProcessors(); - ExecutorService executorService = new ThreadPoolExecutor( - 0, - Integer.MAX_VALUE, - Long.MAX_VALUE, TimeUnit.MILLISECONDS, - new SynchronousQueue<Runnable>(), - new AsyncIOThreadFactory()); - - try { - result = AsynchronousChannelGroup.withCachedThreadPool( - executorService, initialSize); - } catch (IOException e) { - // No good reason for this to happen. - throw MESSAGES.asyncGroupFail(); - } - } finally { - Thread.currentThread().setContextClassLoader(original); - } - - asynchronousChannelGroup = result; - } - private final Map<Class<?>, Set<WsSession>> endpointSessionMap = new HashMap<Class<?>, Set<WsSession>>(); private final Map<WsSession,WsSession> sessions = new ConcurrentHashMap<WsSession, WsSession>(); @@ -186,8 +148,12 @@ } } - ClientEndpointConfig config = ClientEndpointConfig.Builder.create(). - configurator(configurator). + ClientEndpointConfig.Builder builder = ClientEndpointConfig.Builder.create(); + // Avoid NPE when using RI API JAR - see BZ 56343 + if (configurator != null) { + builder.configurator(configurator); + } + ClientEndpointConfig config = builder. decoders(Arrays.asList(annotation.decoders())). encoders(Arrays.asList(annotation.encoders())). build(); @@ -274,8 +240,7 @@ AsynchronousSocketChannel socketChannel; try { - socketChannel = - AsynchronousSocketChannel.open(asynchronousChannelGroup); + socketChannel = AsynchronousSocketChannel.open(getAsynchronousChannelGroup()); } catch (IOException ioe) { throw new DeploymentException(MESSAGES.connectionFailed(), ioe); } @@ -355,7 +320,7 @@ WsSession wsSession = new WsSession(endpoint, wsRemoteEndpointClient, this, null, null, null, null, null, subProtocol, - Collections.<String, String> emptyMap(), false, + Collections.<String, String> emptyMap(), secure, clientEndpointConfiguration); endpoint.onOpen(wsSession, clientEndpointConfiguration); registerSession(endpoint, wsSession); @@ -797,9 +762,36 @@ WebsocketsLogger.ROOT_LOGGER.sessionCloseFailed(session.getId(), ioe); } } + + // Only unregister with AsyncChannelGroupUtil if this instance + // registered with it + if (asynchronousChannelGroup != null) { + synchronized (asynchronousChannelGroupLock) { + if (asynchronousChannelGroup != null) { + AsyncChannelGroupUtil.unregister(); + asynchronousChannelGroup = null; + } + } + } } + private AsynchronousChannelGroup getAsynchronousChannelGroup() { + // Use AsyncChannelGroupUtil to share a common group amongst all + // WebSocket clients + AsynchronousChannelGroup result = asynchronousChannelGroup; + if (result == null) { + synchronized (asynchronousChannelGroupLock) { + if (asynchronousChannelGroup == null) { + asynchronousChannelGroup = AsyncChannelGroupUtil.register(); + } + result = asynchronousChannelGroup; + } + } + return result; + } + + // ----------------------------------------------- BackgroundProcess methods @Override @@ -836,21 +828,4 @@ } - /** - * Create threads for AsyncIO that have the right context class loader to - * prevent memory leaks. - */ - private static class AsyncIOThreadFactory implements ThreadFactory { - - private AtomicInteger count = new AtomicInteger(0); - - @Override - public Thread newThread(Runnable r) { - Thread t = new Thread(r); - t.setName("WebSocketClient-AsyncIO-" + count.incrementAndGet()); - t.setContextClassLoader(this.getClass().getClassLoader()); - t.setDaemon(true); - return t; - } - } } Modified: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/apache/tomcat/websocket/pojo/PojoEndpointBase.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -47,6 +47,14 @@ Object pojo = getPojo(); Map<String,String> pathParameters = getPathParameters(); + // Add message handlers before calling onOpen since that may trigger a + // message which in turn could trigger a response and/or close the + // session + for (MessageHandler mh : methodMapping.getMessageHandlers(pojo, + pathParameters, session, config)) { + session.addMessageHandler(mh); + } + if (methodMapping.getOnOpen() != null) { try { methodMapping.getOnOpen().invoke(pojo, @@ -67,11 +75,6 @@ return; } } - - for (MessageHandler mh : methodMapping.getMessageHandlers(pojo, - pathParameters, session, config)) { - session.addMessageHandler(mh); - } } Modified: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsContextListener.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsContextListener.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsContextListener.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -45,7 +45,6 @@ ServletContext sc = sce.getServletContext(); Object obj = sc.getAttribute(Constants.SERVER_CONTAINER_SERVLET_CONTEXT_ATTRIBUTE); if (obj instanceof WsServerContainer) { - ((WsServerContainer) obj).shutdownExecutor(); ((WsServerContainer) obj).destroy(); } } Modified: branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsServerContainer.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsServerContainer.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/apache/tomcat/websocket/server/WsServerContainer.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -55,6 +55,7 @@ import org.apache.tomcat.websocket.WsWebSocketContainer; import org.apache.tomcat.websocket.pojo.PojoEndpointServer; import org.apache.tomcat.websocket.pojo.PojoMethodMapping; +import org.jboss.web.WebsocketsLogger; /** * Provides a per class loader (i.e. per web application) instance of a @@ -85,6 +86,7 @@ private final ConcurrentHashMap<String,Set<WsSession>> authenticatedSessions = new ConcurrentHashMap<String, Set<WsSession>>(); private final ExecutorService executorService; + private final ThreadGroup threadGroup; private volatile boolean endpointsRegistered = false; WsServerContainer(ServletContext servletContext) { @@ -110,7 +112,7 @@ } // Executor config int executorCoreSize = 0; - int executorMaxSize = 10; + int executorMaxSize = 200; long executorKeepAliveTimeSeconds = 60; value = servletContext.getInitParameter( Constants.EXECUTOR_CORE_SIZE_INIT_PARAM); @@ -146,7 +148,7 @@ } else { threadGroupName.append(servletContext.getContextPath()); } - ThreadGroup threadGroup = new ThreadGroup(threadGroupName.toString()); + threadGroup = new ThreadGroup(threadGroupName.toString()); WsThreadFactory wsThreadFactory = new WsThreadFactory(threadGroup); executorService = new ThreadPoolExecutor(executorCoreSize, @@ -259,6 +261,20 @@ } + @Override + public void destroy() { + shutdownExecutor(); + super.destroy(); + try { + threadGroup.destroy(); + } catch (IllegalThreadStateException itse) { + // If the executor hasn't fully shutdown it won't be possible to + // destroy this thread group as there will still be threads running + WebsocketsLogger.ROOT_LOGGER.threadGroupNotDestryed(threadGroup.getName()); + } + } + + boolean areEndpointsRegistered() { return endpointsRegistered; } @@ -428,7 +444,7 @@ } - void shutdownExecutor() { + private void shutdownExecutor() { if (executorService == null) { return; } Modified: branches/7.4.x/src/main/java/org/jboss/web/WebsocketsLogger.java =================================================================== --- branches/7.4.x/src/main/java/org/jboss/web/WebsocketsLogger.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/jboss/web/WebsocketsLogger.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -98,4 +98,8 @@ @Message(id = 8813, value = "WebSocket support is not available when running on Java 6") void noWebsocketsSupport(); + @LogMessage(level = WARN) + @Message(id = 8814, value = "Thread group %s not destroyed") + void threadGroupNotDestryed(String name); + } Modified: branches/7.4.x/src/main/java/org/jboss/web/WebsocketsMessages.java =================================================================== --- branches/7.4.x/src/main/java/org/jboss/web/WebsocketsMessages.java 2014-05-22 09:02:55 UTC (rev 2413) +++ branches/7.4.x/src/main/java/org/jboss/web/WebsocketsMessages.java 2014-05-23 11:29:12 UTC (rev 2414) @@ -170,7 +170,7 @@ @Message(id = 8544, value = "The WebSocket session has been closed and no method (apart from close()) may be called on a closed session") IllegalStateException sessionAlreadyClosed(); - @Message(id = 8545, value = "Unable to create dedicated AsynchronousChannelGroup for WebSocket clients which is required to prevent memory leaks in complex class loader environments like J2EE containers") + @Message(id = 8545, value = "Unable to create dedicated AsynchronousChannelGroup for WebSocket clients which is required to prevent memory leaks in complex class loader environments like JEE containers") IllegalStateException asyncGroupFail(); @Message(id = 8546, value = "Cannot use POJO class [%s] as it is not annotated with @ClientEndpoint")

10 years, 8 months

1
0
0 / 0

JBossWeb SVN: r2413 - in branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse: openssl and 1 other directory.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-05-22 05:02:55 -0400 (Thu, 22 May 2014) New Revision: 2413 Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java Modified: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java Log: BZ1078204: Support OpenSSL syntax for ciphers, and change the default cipher suite. Submitted by Emmanuel Hugonnet. Modified: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2014-05-15 09:50:43 UTC (rev 2412) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -205,59 +205,9 @@ String[] enabledCiphers = null; if (requestedCiphers != null) { - Vector vec = null; - String cipher = requestedCiphers; - int index = requestedCiphers.indexOf(','); - if (index != -1) { - int fromIndex = 0; - while (index != -1) { - cipher = requestedCiphers.substring(fromIndex, index).trim(); - if (cipher.length() > 0) { - /* - * Check to see if the requested cipher is among the - * supported ciphers, i.e., may be enabled - */ - for (int i=0; supportedCiphers != null - && i<supportedCiphers.length; i++) { - if (supportedCiphers[i].equals(cipher)) { - if (vec == null) { - vec = new Vector(); - } - vec.addElement(cipher); - break; - } - } - } - fromIndex = index+1; - index = requestedCiphers.indexOf(',', fromIndex); - } // while - cipher = requestedCiphers.substring(fromIndex); - } - - if (cipher != null) { - cipher = cipher.trim(); - if (cipher.length() > 0) { - /* - * Check to see if the requested cipher is among the - * supported ciphers, i.e., may be enabled - */ - for (int i=0; supportedCiphers != null - && i<supportedCiphers.length; i++) { - if (supportedCiphers[i].equals(cipher)) { - if (vec == null) { - vec = new Vector(); - } - vec.addElement(cipher); - break; - } - } - } - } - - if (vec != null) { - enabledCiphers = new String[vec.size()]; - vec.copyInto(enabledCiphers); - } else { + String[] ciphers = requestedCiphers.split(","); + enabledCiphers = JSSEUtils.getEnabledCiphers(ciphers, supportedCiphers); + if(enabledCiphers == null || enabledCiphers.length == 0) { throw new IOException(MESSAGES.noCipherMatch()); // Like openssl. } } else { Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,58 @@ +/* + * JBoss, Home of Professional Open Source. + * + * Copyright 2011 Red Hat, Inc. and/or its affiliates, and individual + * contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.net.jsse; + +import java.util.Arrays; +import java.util.HashSet; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Set; +import org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser; + +/** + * Utility methods. + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +public final class JSSEUtils { + + public static String[] getEnabledCiphers(final String[] cipherSuites, final String[] supportedCiphers) { + return resolveEnabledCipherSuite(cipherSuites, new HashSet<String>(Arrays.asList(supportedCiphers))); + } + + static String[] resolveEnabledCipherSuite(final String[] cipherSuites, final Set<String> supportedCiphers) { + Set<String> result = new LinkedHashSet<String>(); + if (cipherSuites.length == 1) { + List<String> enabledCiphers = OpenSSLCipherConfigurationParser.parseExpression(cipherSuites[0]); + for (String enabledCipher : enabledCiphers) { + if (supportedCiphers.contains(enabledCipher)) { + result.add(enabledCipher); + } + } + } else { + for (String enabledCipher : cipherSuites) { + if (supportedCiphers.contains(enabledCipher)) { + result.add(enabledCipher); + } + } + } + return result.toArray(new String[result.size()]); + } + +} Modified: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java 2014-05-15 09:50:43 UTC (rev 2412) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -345,61 +345,13 @@ String[] enabledCiphers = null; SSLServerSocketFactory sslProxy = sslContext.getServerSocketFactory(); if (requestedCiphers != null) { - Vector<Object> vec = null; - String cipher = requestedCiphers; - int index = requestedCiphers.indexOf(','); - if (index != -1) { - int fromIndex = 0; - while (index != -1) { - cipher = requestedCiphers.substring(fromIndex, index).trim(); - if (cipher.length() > 0) { - /* - * Check to see if the requested cipher is among the - * supported ciphers, i.e., may be enabled - */ - for (int i = 0; supportedCiphers != null && i < supportedCiphers.length; i++) { - if (supportedCiphers[i].equals(cipher)) { - if (vec == null) { - vec = new Vector<Object>(); - } - vec.addElement(cipher); - break; - } - } - } - fromIndex = index + 1; - index = requestedCiphers.indexOf(',', fromIndex); - } // while - cipher = requestedCiphers.substring(fromIndex); - } - - if (cipher != null) { - cipher = cipher.trim(); - if (cipher.length() > 0) { - /* - * Check to see if the requested cipher is among the - * supported ciphers, i.e., may be enabled - */ - for (int i = 0; supportedCiphers != null && i < supportedCiphers.length; i++) { - if (supportedCiphers[i].equals(cipher)) { - if (vec == null) { - vec = new Vector<Object>(); - } - vec.addElement(cipher); - break; - } - } - } - } - - if (vec != null) { - enabledCiphers = new String[vec.size()]; - vec.copyInto(enabledCiphers); - } else { - throw new IOException(MESSAGES.noCipherMatch()); // Like openssl. - } + String[] ciphers = requestedCiphers.split(","); + enabledCiphers = JSSEUtils.getEnabledCiphers(ciphers, supportedCiphers); + if(enabledCiphers == null || enabledCiphers.length == 0) { + throw new IOException(MESSAGES.noCipherMatch()); // Like openssl. + } } else { - enabledCiphers = sslProxy.getDefaultCipherSuites(); + enabledCiphers = sslProxy.getDefaultCipherSuites(); } return enabledCiphers; Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,39 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +enum Authentication { + RSA /* RSA auth */, + DSS /* DSS auth */, + aNULL /* no auth (i.e. use ADH or AECDH) */, + DH /* Fixed DH auth (kDHd or kDHr) */, + ECDH /* Fixed ECDH auth (kECDHe or kECDHr) */, + KRB5 /* KRB5 auth */, + ECDSA/* ECDSA auth*/, + PSK /* PSK auth */, + GOST94 /* GOST R 34.10-94 signature auth */, + GOST01 /* GOST R 34.10-2001 */, + FZA /* Fortezza */; +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,2304 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * All Ciphers for SSL/TSL. + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +enum Ciphers { + /* The RSA ciphers */ + // Cipher 01 + SSL_RSA_WITH_NULL_MD5("NULL-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0), + // Cipher 02 + SSL_RSA_WITH_NULL_SHA("NULL-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0), + // Cipher 03 + SL_RSA_EXPORT_WITH_RC4_40_MD5("EXP-RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 04 + SSL_RSA_WITH_RC4_128_MD5("RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 05 + SSL_RSA_WITH_RC4_128_SHA("RC4-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 06 + SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5("EXP-RC2-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 07 + SSL_RSA_WITH_IDEA_CBC_SHA("IDEA-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.IDEA, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 08 + SSL_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DES-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 09 + SSL_RSA_WITH_DES_CBC_SHA("DES-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 0A + SSL_RSA_WITH_3DES_EDE_CBC_SHA("DES-CBC3-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + /* The DH ciphers */ + // Cipher 0B + SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-DSS-DES-CBC-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 0C + SSL_DH_DSS_WITH_DES_CBC_SHA("DH-DSS-DES-CBC-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 0D + SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA("DH-DSS-DES-CBC3-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + // Cipher 0E + SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-RSA-DES-CBC-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 0F + SSL_DH_RSA_WITH_DES_CBC_SHA("DH-RSA-DES-CBC-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 10 + SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA("DH-RSA-DES-CBC3-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + /* The Ephemeral DH ciphers */ + // Cipher 11 + SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-DSS-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 12 + SSL_DHE_DSS_WITH_DES_CBC_SHA("EDH-DSS-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 13 + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA("EDH-DSS-DES-CBC3-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + // Cipher 14 + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-RSA-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 15 + TLS_DHE_RSA_WITH_DES_CBC_SHA("EDH-RSA-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 16 + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA("EDH-RSA-DES-CBC3-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + // Cipher 17 + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5("EXP-ADH-RC4-MD5", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 18 + TLS_DH_anon_WITH_RC4_128_MD5("ADH-RC4-MD5", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 19 + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA("EXP-ADH-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 1A + TLS_DH_anon_WITH_DES_CBC_SHA("ADH-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 1B + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA("ADH-DES-CBC3-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + /* Fortezza ciphersuite from SSL 3.0 spec */ + // Cipher 1C + SSL_FORTEZZA_DMS_WITH_NULL_SHA("FZA-NULL-SHA", + KeyExchange.FZA, + Authentication.FZA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0), + // Cipher 1D + SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA("FZA-FZA-CBC-SHA", + KeyExchange.FZA, + Authentication.FZA, + Encryption.FZA, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0), + // Cipher 1E + SSL_FORTEZZA_DMS_WITH_RC4_128_SHA("FZA-RC4-SHA", + KeyExchange.FZA, + Authentication.FZA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + /* The Kerberos ciphers*/ + // Cipher 1E + /*TLS_KRB5_WITH_DES_CBC_SHA("KRB5-DES-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 1F + TLS_KRB5_WITH_3DES_EDE_CBC_SHA("KRB5-DES-CBC3-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + true, + 168, + 168), + // Cipher 20 + TLS_KRB5_WITH_RC4_128_SHA("KRB5-RC4-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 21 + TLS_KRB5_WITH_IDEA_CBC_SHA("KRB5-IDEA-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.IDEA, + MessageDigest.SHA1, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 22 + TLS_KRB5_WITH_DES_CBC_MD5("KRB5-DES-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.LOW, + false, + 56, + 56), + // Cipher 23 + TLS_KRB5_WITH_3DES_EDE_CBC_MD5("KRB5-DES-CBC3-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.TRIPLE_DES, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.HIGH, + false, + 168, + 168), + // Cipher 24 + TLS_KRB5_WITH_RC4_128_MD5("KRB5-RC4-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 25 + TLS_KRB5_WITH_IDEA_CBC_MD5("KRB5-IDEA-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.IDEA, + MessageDigest.MD5, + Protocol.SSLv3, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 26 + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA("EXP-KRB5-DES-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 27 + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA("EXP-KRB5-RC2-CBC-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC2, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 28 + TLS_KRB5_EXPORT_WITH_RC4_40_SHA("EXP-KRB5-RC4-SHA", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 29 + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5("EXP-KRB5-DES-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.DES, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 56), + // Cipher 2A + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5("EXP-KRB5-RC2-CBC-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128), + // Cipher 2B + TLS_KRB5_EXPORT_WITH_RC4_40_MD5("EXP-KRB5-RC4-MD5", + KeyExchange.KRB5, + Authentication.KRB5, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv3, + true, + EncryptionLevel.EXP40, + false, + 40, + 128),*/ + /* New AES ciphersuites */ + // Cipher 2F + TLS_RSA_WITH_AES_128_CBC_SHA("AES128-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 30 + TLS_DH_DSS_WITH_AES_128_CBC_SHA("DH-DSS-AES128-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 31 + TLS_DH_RSA_WITH_AES_128_CBC_SHA("DH-RSA-AES128-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 32 + TLS_DHE_DSS_WITH_AES_128_CBC_SHA("DHE-DSS-AES128-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 33 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA("DHE-RSA-AES128-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 34 + TLS_DH_anon_WITH_AES_128_CBC_SHA("ADH-AES128-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 35 + TLS_RSA_WITH_AES_256_CBC_SHA("AES256-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 36 + TLS_DH_DSS_WITH_AES_256_CBC_SHA("DH-DSS-AES256-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 37 + TLS_DH_RSA_WITH_AES_256_CBC_SHA("DH-RSA-AES256-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 38 + TLS_DHE_DSS_WITH_AES_256_CBC_SHA("DHE-DSS-AES256-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 39 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA("DHE-RSA-AES256-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), // Cipher 3A + TLS_DH_anon_WITH_AES_256_CBC_SHA("ADH-AES256-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + /* TLS v1.2 ciphersuites */ + // Cipher 3B + TLS_RSA_WITH_NULL_SHA256("NULL-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0), + // Cipher 3C + TLS_RSA_WITH_AES_128_CBC_SHA256("AES128-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 3D + TLS_RSA_WITH_AES_256_CBC_SHA256("AES256-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 3E + TLS_DH_DSS_WITH_AES_128_CBC_SHA256("DH-DSS-AES128-SHA256", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 3F + TLS_DH_RSA_WITH_AES_128_CBC_SHA256("DH-RSA-AES128-SHA256", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 40 + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256("DHE-DSS-AES128-SHA256", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + /* Camellia ciphersuites from RFC4132 (128-bit portion) */ + // Cipher 41 + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA("CAMELLIA128-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128), + // Cipher 42 + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA("DH-DSS-CAMELLIA128-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128), + // Cipher 43 + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA("DH-RSA-CAMELLIA128-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128), + // Cipher 44 + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA("DHE-DSS-CAMELLIA128-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128), + // Cipher 45 + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA("DHE-RSA-CAMELLIA128-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128), + // Cipher 46 + TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA("ADH-CAMELLIA128-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.CAMELLIA128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128), + /* New TLS Export CipherSuites from expired ID */ + // Cipher 60 + SSL_RSA_EXPORT1024_WITH_RC4_56_MD5("EXP1024-RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128), + // Cipher 61 + SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD("EXP1024-RC2-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128), + // Cipher 62 + SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA("EXP1024-DES-CBC-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 56), + // Cipher 63 + SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA("EXP1024-DHE-DSS-DES-CBC-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.DES, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 56), + // Cipher 64 + SSL_RSA_EXPORT1024_WITH_RC4_56_SHA("EXP1024-RC4-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128), + // Cipher 65 + SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA("EXP1024-DHE-DSS-RC4-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + true, + EncryptionLevel.EXP56, + false, + 56, + 128), + // Cipher 66 + SSL_DHE_DSS_WITH_RC4_128_SHA("DHE-DSS-RC4-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + /* TLS v1.2 ciphersuites */ + // Cipher 67 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256("DHE-RSA-AES128-SHA256", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128), + // Cipher 68 + TLS_DH_DSS_WITH_AES_256_CBC_SHA256("DH-DSS-AES256-SHA256", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 69 + TLS_DH_RSA_WITH_AES_256_CBC_SHA256("DH-RSA-AES256-SHA256", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 6A + TLS_DHE_DSS_WITH_AES_256_CBC_SHA256("DHE-DSS-AES256-SHA256", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 6B + TLS_DHE_RSA_WITH_AES_256_CBC_SHA256("DHE-RSA-AES256-SHA256", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + // Cipher 6C + TLS_DH_anon_WITH_AES_128_CBC_SHA256("ADH-AES128-SHA256", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 6D + TLS_DH_anon_WITH_AES_256_CBC_SHA256("ADH-AES256-SHA256", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256), + /* GOST Ciphersuites */ + TLS_GOSTR341094_WITH_28147_CNT_IMIT("GOST94-GOST89-GOST89", + KeyExchange.GOST, + Authentication.GOST94, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + TLS_GOSTR341001_WITH_28147_CNT_IMIT("GOST2001-GOST89-GOST89", + KeyExchange.GOST, + Authentication.GOST01, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + TLS_GOSTR341094_WITH_NULL_GOSTR3411("GOST94-NULL-GOST94", + KeyExchange.GOST, + Authentication.GOST94, + Encryption.eNULL, + MessageDigest.GOST94, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0), + TLS_GOSTR341001_WITH_NULL_GOSTR3411("GOST2001-NULL-GOST94", + KeyExchange.GOST, + Authentication.GOST01, + Encryption.eNULL, + MessageDigest.GOST94, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + false, + 0, + 0), + /* Camellia ciphersuites from RFC4132 (256-bit portion) */ + // Cipher 84 + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA("CAMELLIA256-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + // Cipher 85 + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA("DH-DSS-CAMELLIA256-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + // Cipher 86 + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SH("DH-RSA-CAMELLIA256-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + // Cipher 87 + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA("DHE-DSS-CAMELLIA256-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + // Cipher 88 + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA("DHE-RSA-CAMELLIA256-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), // Cipher 89 + TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA("ADH-CAMELLIA256-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.CAMELLIA256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256), + // Cipher 8A + TLS_PSK_WITH_RC4_128_SHA("PSK-RC4-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128), + // Cipher 8B + TLS_PSK_WITH_3DES_EDE_CBC_SHA("PSK-3DES-EDE-CBC-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher 8C + TLS_PSK_WITH_AES_128_CBC_SHA("PSK-AES128-CBC-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 8D + TLS_PSK_WITH_AES_256_CBC_SHA("PSK-AES256-CBC-SHA", + KeyExchange.PSK, + Authentication.PSK, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* SEED ciphersuites from RFC4162 */ + // Cipher 96 + TLS_RSA_WITH_SEED_CBC_SHA("SEED-SHA", + KeyExchange.RSA, + Authentication.RSA, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 97 + TLS_DH_DSS_WITH_SEED_CBC_SHA("DH-DSS-SEED-SHA", + KeyExchange.DHd, + Authentication.DH, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 98 + TLS_DH_RSA_WITH_SEED_CBC_SHA("DH-RSA-SEED-SHA", + KeyExchange.DHr, + Authentication.DH, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 99 + TLS_DHE_DSS_WITH_SEED_CBC_SHA("DHE-DSS-SEED-SHA", + KeyExchange.EDH, + Authentication.DSS, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 9A + TLS_DHE_RSA_WITH_SEED_CBC_SHA("DHE-RSA-SEED-SHA", + KeyExchange.EDH, + Authentication.RSA, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher 9B + TLS_DH_anon_WITH_SEED_CBC_SHA("ADH-SEED-SHA", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.SEED, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + /* GCM ciphersuites from RFC5288 */ + // Cipher 9C + TLS_RSA_WITH_AES_128_GCM_SHA256("AES128-GCM-SHA256", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 9D + TLS_RSA_WITH_AES_256_GCM_SHA384("AES256-GCM-SHA384", + KeyExchange.RSA, + Authentication.RSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher 9E + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256("DHE-RSA-AES128-GCM-SHA256", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher 9F + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384("DHE-RSA-AES256-GCM-SHA384", + KeyExchange.EDH, + Authentication.RSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A0 + TLS_DH_RSA_WITH_AES_128_GCM_SHA256("DH-RSA-AES128-GCM-SHA256", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A1 + TLS_DH_RSA_WITH_AES_256_GCM_SHA384("DH-RSA-AES256-GCM-SHA384", + KeyExchange.DHr, + Authentication.DH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A2 + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256("DHE-DSS-AES128-GCM-SHA256", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A3 + TLS_DHE_DSS_WITH_AES_256_GCM_SHA384("DHE-DSS-AES256-GCM-SHA384", + KeyExchange.EDH, + Authentication.DSS, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A4 + TLS_DH_DSS_WITH_AES_128_GCM_SHA256("DH-DSS-AES128-GCM-SHA256", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A5 + TLS_DH_DSS_WITH_AES_256_GCM_SHA384("DH-DSS-AES256-GCM-SHA384", + KeyExchange.DHd, + Authentication.DH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher A6 + TLS_DH_anon_WITH_AES_128_GCM_SHA256("ADH-AES128-GCM-SHA256", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher A7 + TLS_DH_anon_WITH_AES_256_GCM_SHA384("ADH-AES256-GCM-SHA384", + KeyExchange.EDH, + Authentication.aNULL, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */ + // Cipher C001 + TLS_ECDH_ECDSA_WITH_NULL_SHA("ECDH-ECDSA-NULL-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C002 + TLS_ECDH_ECDSA_WITH_RC4_128_SHA("ECDH-ECDSA-RC4-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C003 + TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA("ECDH-ECDSA-DES-CBC3-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C004 + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA("ECDH-ECDSA-AES128-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C005 + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA("ECDH-ECDSA-AES256-SHA", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C006 + TLS_ECDHE_ECDSA_WITH_NULL_SHA("ECDHE-ECDSA-NULL-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C007 + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA("ECDHE-ECDSA-RC4-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C008 + TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA("ECDHE-ECDSA-DES-CBC3-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C009 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA("ECDHE-ECDSA-AES128-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C00A + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA("ECDHE-ECDSA-AES256-SHA", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C00B + TLS_ECDH_RSA_WITH_NULL_SHA("ECDH-RSA-NULL-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C00C + TLS_ECDH_RSA_WITH_RC4_128_SHA("ECDH-RSA-RC4-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C00D + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA("ECDH-RSA-DES-CBC3-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C00E + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA("ECDH-RSA-AES128-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C00F + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA("ECDH-RSA-AES256-SHA", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + TLS_ECDHE_RSA_WITH_NULL_SHA("ECDHE-RSA-NULL-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C011 + TLS_ECDHE_RSA_WITH_RC4_128_SHA("ECDHE-RSA-RC4-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C012 + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA("ECDHE-RSA-DES-CBC3-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C013 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA("ECDHE-RSA-AES128-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C014 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA("ECDHE-RSA-AES256-SHA", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C015 + TLS_ECDH_anon_WITH_NULL_SHA("AECDH-NULL-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.eNULL, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.STRONG_NONE, + true, + 0, + 0 + ), + // Cipher C016 + TLS_ECDH_anon_WITH_RC4_128_SHA("AECDH-RC4-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.RC4, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // Cipher C017 + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA("AECDH-DES-CBC3-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 168, + 168 + ), + // Cipher C018 + TLS_ECDH_anon_WITH_AES_128_CBC_SHA("AECDH-AES128-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C019 + TLS_ECDH_anon_WITH_AES_256_CBC_SHA("AECDH-AES256-SHA", + KeyExchange.EECDH, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* SRP ciphersuite from RFC 5054 */ + // Cipher C01A + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA("SRP-3DES-EDE-CBC-SHA", + KeyExchange.SRP, + Authentication.aNULL, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher C01B + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA("SRP-RSA-3DES-EDE-CBC-SHA", + KeyExchange.SRP, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher C01C + TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA("SRP-DSS-3DES-EDE-CBC-SHA", + KeyExchange.SRP, + Authentication.DSS, + Encryption.TRIPLE_DES, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ), + // Cipher C01D + TLS_SRP_SHA_WITH_AES_128_CBC_SHA("SRP-AES-128-CBC-SHA", + KeyExchange.SRP, + Authentication.aNULL, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher C01E + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA("SRP-RSA-AES-128-CBC-SHA", + KeyExchange.SRP, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher C01F + TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA("SRP-DSS-AES-128-CBC-SHA", + KeyExchange.SRP, + Authentication.DSS, + Encryption.AES128, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 128, + 128 + ), + // Cipher C020 + TLS_SRP_SHA_WITH_AES_256_CBC_SHA("SRP-AES-256-CBC-SHA", + KeyExchange.SRP, + Authentication.aNULL, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher C021 + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA("SRP-RSA-AES-256-CBC-SHA", + KeyExchange.SRP, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + // Cipher C022 + TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA("SRP-DSS-AES-256-CBC-SHA", + KeyExchange.SRP, + Authentication.DSS, + Encryption.AES256, + MessageDigest.SHA1, + Protocol.TLSv1, + false, + EncryptionLevel.HIGH, + false, + 256, + 256 + ), + /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ + // Cipher C023 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256("ECDHE-ECDSA-AES128-SHA256", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C024 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384("ECDHE-ECDSA-AES256-SHA384", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C025 + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256("ECDH-ECDSA-AES128-SHA256", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C026 + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384("ECDH-ECDSA-AES256-SHA384", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C027 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256("ECDHE-RSA-AES128-SHA256", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C028 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384("ECDHE-RSA-AES256-SHA384", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C029 + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256("ECDH-RSA-AES128-SHA256", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES128, + MessageDigest.SHA256, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C02A + TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384("ECDH-RSA-AES256-SHA384", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES256, + MessageDigest.SHA384, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + /* GCM based TLS v1.2 ciphersuites from RFC5289 */ + // Cipher C02B + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256("ECDHE-ECDSA-AES128-GCM-SHA256", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C02C + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384("ECDHE-ECDSA-AES256-GCM-SHA384", + KeyExchange.EECDH, + Authentication.ECDSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C02D + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256("ECDH-ECDSA-AES128-GCM-SHA256", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C02E + TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384("ECDH-ECDSA-AES256-GCM-SHA384", + KeyExchange.ECDHe, + Authentication.ECDH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C02F + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256("ECDHE-RSA-AES128-GCM-SHA256", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C030 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384("ECDHE-RSA-AES256-GCM-SHA384", + KeyExchange.EECDH, + Authentication.RSA, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // Cipher C031 + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256("ECDH-RSA-AES128-GCM-SHA256", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES128GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 128, + 128 + ), + // Cipher C032 + TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384("ECDH-RSA-AES256-GCM-SHA384", + KeyExchange.ECDHr, + Authentication.ECDH, + Encryption.AES256GCM, + MessageDigest.AEAD, + Protocol.TLSv1_2, + false, + EncryptionLevel.HIGH, + true, + 256, + 256 + ), + // RC4_128_WITH_MD5 + SSL_CK_RC4_128_WITH_MD5("RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // RC4_128_EXPORT40_WITH_MD5 + SSL_CK_RC4_128_EXPORT40_WITH_MD5("EXP-RC4-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC4, + MessageDigest.MD5, + Protocol.SSLv2, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ), + // RC2_128_CBC_WITH_MD5 + SSL_CK_RC2_128_CBC_WITH_MD5("RC2-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // RC2_128_CBC_EXPORT40_WITH_MD5 + SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5("EXP-RC2-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.RC2, + MessageDigest.MD5, + Protocol.SSLv2, + true, + EncryptionLevel.EXP40, + false, + 40, + 128 + ), + // IDEA_128_CBC_WITH_MD5 + SSL_CK_IDEA_128_CBC_WITH_MD5("IDEA-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.IDEA, + MessageDigest.MD5, + Protocol.SSLv2, + false, EncryptionLevel.MEDIUM, + false, + 128, + 128 + ), + // DES_64_CBC_WITH_MD5 + SSL_CK_DES_64_CBC_WITH_MD5("DES-CBC-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.DES, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.LOW, + false, + 56, + 56 + ), + // DES_192_EDE3_CBC_WITH_MD5 + SSL_CK_DES_192_EDE3_CBC_WITH_MD5("DES-CBC3-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.TRIPLE_DES, + MessageDigest.MD5, + Protocol.SSLv2, + false, + EncryptionLevel.HIGH, + false, + 168, + 168 + ); + + /* TEMP_GOST_TLS*/ + /* + // Cipher FF00 + TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5("GOST-MD5", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.MD5, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + + 256, + 256, + ), + TLS_RSA_WITH_28147_CNT_GOST94( + "GOST-GOST94", + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.GOST94, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + + 256, + 256 + ), + { + 1, + "GOST-GOST89MAC", + 0x0300ff02, + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + + 256, + 256 + ), + { + 1, + "GOST-GOST89STREAM", + 0x0300ff03, + KeyExchange.RSA, + Authentication.RSA, + Encryption.eGOST2814789CNT, + MessageDigest.GOST89MAC, + Protocol.TLSv1, + false, EncryptionLevel.HIGH,false, + + 256, + 256 + };*/ + private final String openSSLAlias; + private final KeyExchange kx; + private final Authentication au; + private final Encryption enc; + private final MessageDigest mac; + private final Protocol protocol; + private final boolean export; + private final EncryptionLevel level; + private final boolean fipsCompatible; + /** + * Number of bits really used + */ + private final int strength_bits; + /** + * Number of bits for algorithm + */ + private final int alg_bits; + + Ciphers(String openSSLAlias, KeyExchange kx, Authentication au, + Encryption enc, MessageDigest mac, Protocol protocol, boolean export, + EncryptionLevel level, boolean fipsCompatible, int strength_bits, + int alg_bits) { + this.openSSLAlias = openSSLAlias; + this.kx = kx; + this.au = au; + this.enc = enc; + this.mac = mac; + this.protocol = protocol; + this.export = export; + this.level = level; + this.fipsCompatible = fipsCompatible; + this.strength_bits = strength_bits; + this.alg_bits = alg_bits; + } + + public String getOpenSSLAlias() { + return openSSLAlias; + } + + public KeyExchange getKx() { + return kx; + } + + public Authentication getAu() { + return au; + } + + public Encryption getEnc() { + return enc; + } + + public MessageDigest getMac() { + return mac; + } + + public Protocol getProtocol() { + return protocol; + } + + public boolean isExport() { + return export; + } + + public EncryptionLevel getLevel() { + return level; + } + + public boolean isFipsCompatible() { + return fipsCompatible; + } + + public int getStrength_bits() { + return strength_bits; + } + + public int getAlg_bits() { + return alg_bits; + } + +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,30 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 + * Red Hat, inc. + */ +enum Encryption { + AES256GCM, AES256, AES128GCM, AES128, CAMELLIA256, CAMELLIA128, TRIPLE_DES, DES, IDEA, eGOST2814789CNT, SEED, FZA, RC4, RC2, eNULL; +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +enum EncryptionLevel { + STRONG_NONE, EXP40, EXP56, LOW, MEDIUM, HIGH, FIPS; +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +enum KeyExchange { + EECDH /* ephemeral ECDH */, + RSA /* RSA key exchange */, + DHr /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */, + DHd /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */, + EDH /* tmp DH key no DH cert */, + PSK /* PSK */, + FZA /* Fortezza */ /* no such ciphersuite supported! */, + KRB5 /* Kerberos 5 key exchange */, + ECDHr /* ECDH cert, RSA CA cert */, + ECDHe /* ECDH cert, ECDSA CA cert */, + GOST /* GOST key exchange */, + SRP /* SRP */; +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +enum MessageDigest { + MD5, SHA1, GOST94, GOST89MAC, SHA256, SHA384, AEAD; +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,582 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.HashSet; +import java.util.LinkedHashMap; +import java.util.LinkedHashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.jboss.web.CoyoteLogger; + +/** + * Class in charge with parsing openSSL expressions to define a list of ciphers. + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +public class OpenSSLCipherConfigurationParser { + + /** + * System property key to define the DEFAULT ciphers. + */ + public static final String DEFAULT_EXPRESSION_KEY = "openssl.default.ciphers"; + + private static boolean initialized = false; + + private static final String SEPARATOR = ":"; + /** + * If ! is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list + * even if they are explicitly stated. + */ + private final static String EXCLUDE = "!"; + /** + * If - is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later + * options. + */ + private static final String DELETE = "-"; + /** + * If + is used then the ciphers are moved to the end of the list. This option doesn't add any new ciphers it just moves + * matching existing ones. + */ + private static final String TO_END = "+"; + /** + * All ciphers by their openssl alias name. + */ + private static final Map<String, List<Ciphers>> aliases = new LinkedHashMap<String, List<Ciphers>>(); + + /** + * the 'NULL' ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk + * they are disabled unless explicitly included. + */ + private static final String eNULL = "eNULL"; + /** + * The cipher suites offering no authentication. This is currently the anonymous DH algorithms. T These cipher suites are + * vulnerable to a 'man in the middle' attack and so their use is normally discouraged. + */ + private static final String aNULL = "aNULL"; + + /** + * 'high' encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites + * with 128-bit keys. + */ + private static final String HIGH = "HIGH"; + /** + * 'medium' encryption cipher suites, currently some of those using 128 bit encryption. + */ + private static final String MEDIUM = "MEDIUM"; + /** + * 'low' encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher + * suites. + */ + private static final String LOW = "LOW"; + /** + * Export encryption algorithms. Including 40 and 56 bits algorithms. + */ + private static final String EXPORT = "EXPORT"; + /** + * 40 bit export encryption algorithms. + */ + private static final String EXPORT40 = "EXPORT40"; + /** + * 56 bit export encryption algorithms. + */ + private static final String EXPORT56 = "EXPORT56"; + /** + * Cipher suites using RSA key exchange. + */ + private static final String kRSA = "kRSA"; + /** + * Cipher suites using RSA authentication. + */ + private static final String aRSA = "aRSA"; + /** + * Cipher suites using RSA for key exchange or for authentication. + */ + private static final String RSA = "RSA"; + /** + * Cipher suites using ephemeral DH key agreement. + */ + private static final String kEDH = "kEDH"; + /** + * Cipher suites using ephemeral DH key agreement. equivalent to kEDH:-ADH + */ + private static final String EDH = "EDH"; + /** + * Cipher suites using DH key agreement and DH certificates signed by CAs with RSA keys. + */ + private static final String kDHr = "kDHr"; + /** + * Cipher suites using DH key agreement and DH certificates signed by CAs with DSS keys. + */ + private static final String kDHd = "kDHd"; + /** + * Cipher suites using DH key agreement and DH certificates signed by CAs with RSA or DSS keys. + */ + private static final String kDH = "kDH"; + /** + * Cipher suites using DSS authentication, i.e. the certificates carry DSS keys. + */ + private static final String aDSS = "aDSS"; + /** + * Cipher suites effectively using DH authentication, i.e. the certificates carry DH keys. + */ + private static final String aDH = "aDH"; + /** + * Ciphers suites using FORTEZZA key exchange algorithms. + */ + private static final String kFZA = "kFZA"; + /** + * Ciphers suites using FORTEZZA authentication algorithms. + */ + private static final String aFZA = "aFZA"; + /** + * Ciphers suites using FORTEZZA encryption algorithms. + */ + private static final String eFZA = "eFZA"; + /** + * Ciphers suites using all FORTEZZA algorithms. + */ + private static final String FZA = "FZA"; + /** + * TLS v1.2 cipher suites. Note: there are no cipher suites specific to TLS v1.1. + */ + private static final String TLSv1_2 = "TLSv1_2"; + /** + * TLS v1.0 cipher suites. + */ + private static final String TLSv1 = "TLSv1"; + /** + * SSL v2.0 cipher suites. + */ + private static final String SSLv2 = "SSLv2"; + /** + * SSL v3.0 cipher suites. + */ + private static final String SSLv3 = "SSLv3"; + /** + * Cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH. + */ + private static final String DH = "DH"; + /** + * Anonymous DH cipher suites. + */ + private static final String ADH = "ADH"; + /** + * Cipher suites using 128 bit AES. + */ + private static final String AES128 = "AES128"; + /** + * Cipher suites using 256 bit AE. + */ + private static final String AES256 = "AES256"; + /** + * Cipher suites using either 128 or 256 bit AES. + */ + private static final String AES = "AES"; + /** + * AES in Galois Counter Mode (GCM): these cipher suites are only supported in TLS v1.2. + */ + private static final String AESGCM = "AESGCM"; + /** + * Cipher suites using 128 bit CAMELLIA. + */ + private static final String CAMELLIA128 = "CAMELLIA128"; + /** + * Cipher suites using 256 bit CAMELLIA. + */ + private static final String CAMELLIA256 = "CAMELLIA256"; + /** + * Cipher suites using either 128 or 256 bit CAMELLIA. + */ + private static final String CAMELLIA = "CAMELLIA"; + /** + * Cipher suites using triple DES. + */ + private static final String TRIPLE_DES = "3DES"; + /** + * Cipher suites using DES (not triple DES). + */ + private static final String DES = "DES"; + /** + * Cipher suites using RC4. + */ + private static final String RC4 = "RC4"; + /** + * Cipher suites using RC2. + */ + private static final String RC2 = "RC2"; + /** + * Cipher suites using IDEA. + */ + private static final String IDEA = "IDEA"; + /** + * Cipher suites using SEED. + */ + private static final String SEED = "SEED"; + /** + * Cipher suites using MD5. + */ + private static final String MD5 = "MD5"; + /** + * Cipher suites using SHA1. + */ + private static final String SHA1 = "SHA1"; + /** + * Cipher suites using SHA1. + */ + private static final String SHA = "SHA"; + /** + * Cipher suites using SHA256. + */ + private static final String SHA256 = "SHA256"; + /** + * Cipher suites using SHA384. + */ + private static final String SHA384 = "SHA384"; + /** + * Cipher suites using KRB5. + */ + private static final String KRB5 = "KRB5"; + /** + * Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication. + */ + private static final String aGOST = "aGOST"; + /** + * Cipher suites using GOST R 34.10-2001 for authentication. + */ + private static final String aGOST01 = "aGOST01"; + /** + * Cipher suites using GOST R 34.10-94 authentication (note that R 34.10-94 standard has been expired so use GOST R + * 34.10-2001) + */ + private static final String aGOST94 = "aGOST94"; + /** + * Cipher suites using using VKO 34.10 key exchange, specified in the RFC 4357. + */ + private static final String kGOST = "kGOST"; + /** + * Cipher suites, using HMAC based on GOST R 34.11-94. + */ + private static final String GOST94 = "GOST94"; + /** + * Cipher suites using GOST 28147-89 MAC instead of HMAC. + */ + private static final String GOST89MAC = "GOST89MAC"; + /** + * Cipher suites using pre-shared keys (PSK). + */ + private static final String PSK = "PSK"; + + private static final String DEFAULT = "DEFAULT"; + private static final String COMPLEMENTOFDEFAULT = "COMPLEMENTOFDEFAULT"; + + private static final String ALL = "ALL"; + private static final String COMPLEMENTOFALL = "COMPLEMENTOFALL"; + + private static final void init() { + + for (Ciphers cipher : Ciphers.values()) { + String alias = cipher.getOpenSSLAlias(); + if (aliases.containsKey(alias)) { + aliases.get(alias).add(cipher); + } else { + List<Ciphers> list = new ArrayList<Ciphers>(); + list.add(cipher); + aliases.put(alias, list); + } + aliases.put(cipher.name(), Collections.singletonList(cipher)); + } + List<Ciphers> allCiphers = Arrays.asList(Ciphers.values()); + Collections.reverse(allCiphers); + LinkedHashSet<Ciphers> all = defaultSort(new LinkedHashSet<Ciphers>(allCiphers)); + addListAlias(ALL, all); + addListAlias(HIGH, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.HIGH))); + addListAlias(MEDIUM, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.MEDIUM))); + addListAlias(LOW, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.LOW))); + addListAlias(EXPORT, filterByEncryptionLevel(all, new HashSet<EncryptionLevel>(Arrays.asList(EncryptionLevel.EXP40, EncryptionLevel.EXP56)))); + aliases.put("EXP", aliases.get(EXPORT)); + addListAlias(EXPORT40, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.EXP40))); + addListAlias(EXPORT56, filterByEncryptionLevel(all, Collections.singleton(EncryptionLevel.EXP56))); + addListAlias(eNULL, filterByEncryption(all, Collections.singleton(Encryption.eNULL))); + aliases.put("NULL", aliases.get(eNULL)); + aliases.put(COMPLEMENTOFALL, aliases.get(eNULL)); + addListAlias(aNULL, filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); + addListAlias(kRSA, filterByKeyExchange(all, Collections.singleton(KeyExchange.RSA))); + addListAlias(aRSA, filterByAuthentication(all, Collections.singleton(Authentication.RSA))); + addListAlias(RSA, filter(all, null, Collections.singleton(KeyExchange.RSA), Collections.singleton(Authentication.RSA), null, null, null)); + addListAlias(kEDH, filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH))); + Set<Ciphers> edh = filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH)); + edh.removeAll(filterByAuthentication(all, Collections.singleton(Authentication.DH))); + addListAlias(EDH, edh); + addListAlias(kDHr, filterByKeyExchange(all, Collections.singleton(KeyExchange.DHr))); + addListAlias(kDHd, filterByKeyExchange(all, Collections.singleton(KeyExchange.DHd))); + addListAlias(kDH, filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd)))); + addListAlias(aDSS, filterByAuthentication(all, Collections.singleton(Authentication.DSS))); + aliases.put("DSS", aliases.get(aDSS)); + addListAlias(aDH, filterByAuthentication(all, Collections.singleton(Authentication.DH))); + addListAlias(kFZA, filterByKeyExchange(all, Collections.singleton(KeyExchange.FZA))); + addListAlias(aFZA, filterByAuthentication(all, Collections.singleton(Authentication.FZA))); + addListAlias(eFZA, filterByEncryption(all, Collections.singleton(Encryption.FZA))); + addListAlias(FZA, filter(all, null, Collections.singleton(KeyExchange.FZA), Collections.singleton(Authentication.FZA), Collections.singleton(Encryption.FZA), null, null)); + addListAlias(TLSv1_2, filterByProtocol(all, Collections.singleton(Protocol.TLSv1_2))); + addListAlias("TLSv1.1", filterByProtocol(all, Collections.singleton(Protocol.SSLv3))); + addListAlias(TLSv1, filterByProtocol(all, Collections.singleton(Protocol.TLSv1))); + addListAlias(SSLv3, filterByProtocol(all, Collections.singleton(Protocol.SSLv3))); + addListAlias(SSLv2, filterByProtocol(all, Collections.singleton(Protocol.SSLv2))); + addListAlias(DH, filterByKeyExchange(all, new HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd, KeyExchange.EDH)))); + Set<Ciphers> adh = filterByKeyExchange(all, Collections.singleton(KeyExchange.EDH)); + adh.retainAll(filterByAuthentication(all, Collections.singleton(Authentication.aNULL))); + addListAlias(ADH, adh); + addListAlias(AES128, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM)))); + addListAlias(AES256, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES256, Encryption.AES256GCM)))); + addListAlias(AES, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM, Encryption.AES256, Encryption.AES256GCM)))); + addListAlias(AESGCM, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.AES128GCM, Encryption.AES256GCM)))); + addListAlias(CAMELLIA, filterByEncryption(all, new HashSet<Encryption>(Arrays.asList(Encryption.CAMELLIA128, Encryption.CAMELLIA256)))); + addListAlias(CAMELLIA128, filterByEncryption(all, Collections.singleton(Encryption.CAMELLIA128))); + addListAlias(CAMELLIA256, filterByEncryption(all, Collections.singleton(Encryption.CAMELLIA256))); + addListAlias(TRIPLE_DES, filterByEncryption(all, Collections.singleton(Encryption.TRIPLE_DES))); + addListAlias(DES, filterByEncryption(all, Collections.singleton(Encryption.DES))); + addListAlias(RC4, filterByEncryption(all, Collections.singleton(Encryption.RC4))); + addListAlias(RC2, filterByEncryption(all, Collections.singleton(Encryption.RC2))); + addListAlias(IDEA, filterByEncryption(all, Collections.singleton(Encryption.IDEA))); + addListAlias(SEED, filterByEncryption(all, Collections.singleton(Encryption.SEED))); + addListAlias(MD5, filterByMessageDigest(all, Collections.singleton(MessageDigest.MD5))); + addListAlias(SHA1, filterByMessageDigest(all, Collections.singleton(MessageDigest.SHA1))); + aliases.put(SHA, aliases.get(SHA1)); + addListAlias(SHA256, filterByMessageDigest(all, Collections.singleton(MessageDigest.SHA256))); + addListAlias(SHA384, filterByMessageDigest(all, Collections.singleton(MessageDigest.SHA384))); + addListAlias(aGOST, filterByAuthentication(all, new HashSet<Authentication>(Arrays.asList(Authentication.GOST01, Authentication.GOST94)))); + addListAlias(aGOST01, filterByAuthentication(all, Collections.singleton(Authentication.GOST01))); + addListAlias(aGOST94, filterByAuthentication(all, Collections.singleton(Authentication.GOST94))); + addListAlias(kGOST, filterByKeyExchange(all, Collections.singleton(KeyExchange.GOST))); + addListAlias(GOST94, filterByMessageDigest(all, Collections.singleton(MessageDigest.GOST94))); + addListAlias(GOST89MAC, filterByMessageDigest(all, Collections.singleton(MessageDigest.GOST89MAC))); + addListAlias(PSK, filter(all, null, Collections.singleton(KeyExchange.PSK), Collections.singleton(Authentication.PSK), null, null, null)); + addListAlias(KRB5, filter(all, null, Collections.singleton(KeyExchange.KRB5), Collections.singleton(Authentication.KRB5), null, null, null)); + initialized = true; + String defaultExpression = System.getProperty(DEFAULT_EXPRESSION_KEY, "ALL:!eNULL:!aNULL"); + addListAlias(DEFAULT, parse(defaultExpression)); + LinkedHashSet<Ciphers> complementOfDefault = new LinkedHashSet<Ciphers>(all); + complementOfDefault.removeAll(aliases.get(DEFAULT)); + addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault); + } + + static void addListAlias(String alias, Set<Ciphers> ciphers) { + aliases.put(alias, new ArrayList<Ciphers>(ciphers)); + } + + static void moveToEnd(final LinkedHashSet<Ciphers> ciphers, final String alias) { + moveToEnd(ciphers, aliases.get(alias)); + } + + static void moveToEnd(final LinkedHashSet<Ciphers> ciphers, final Collection<Ciphers> toBeMovedCiphers) { + ciphers.removeAll(toBeMovedCiphers); + ciphers.addAll(toBeMovedCiphers); + } + + static void add(final LinkedHashSet<Ciphers> ciphers, final String alias) { + ciphers.addAll(aliases.get(alias)); + } + + static void remove(final LinkedHashSet<Ciphers> ciphers, final String alias) { + ciphers.removeAll(aliases.get(alias)); + } + + static LinkedHashSet<Ciphers> strengthSort(final LinkedHashSet<Ciphers> ciphers) { + /* + * This routine sorts the ciphers with descending strength. The sorting + * must keep the pre-sorted sequence, so we apply the normal sorting + * routine as '+' movement to the end of the list. + */ + Set<Integer> keySizes = new HashSet<Integer>(); + for (Ciphers cipher : ciphers) { + keySizes.add(cipher.getStrength_bits()); + } + List<Integer> strength_bits = new ArrayList<Integer>(keySizes); + Collections.sort(strength_bits); + Collections.reverse(strength_bits); + final LinkedHashSet<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers); + for (int strength : strength_bits) { + moveToEnd(result, filterByStrengthBits(ciphers, strength)); + } + return result; + } + + static LinkedHashSet<Ciphers> defaultSort(final LinkedHashSet<Ciphers> ciphers) { + final LinkedHashSet<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size()); + /* Now arrange all ciphers by preference: */ + + /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */ + result.addAll(filterByKeyExchange(ciphers, Collections.singleton(KeyExchange.EECDH))); + /* AES is our preferred symmetric cipher */ + result.addAll(filterByEncryption(ciphers, new HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM, + Encryption.AES256, Encryption.AES256GCM)))); + /* Temporarily enable everything else for sorting */ + result.addAll(ciphers); + + + /* Low priority for MD5 */ + moveToEnd(result, filterByMessageDigest(result, Collections.singleton(MessageDigest.MD5))); + + /* Move anonymous ciphers to the end. Usually, these will remain disabled. + * (For applications that allow them, they aren't too bad, but we prefer + * authenticated ciphers.) */ + moveToEnd(result, filterByAuthentication(result, Collections.singleton(Authentication.aNULL))); + + /* Move ciphers without forward secrecy to the end */ + moveToEnd(result, filterByAuthentication(result, Collections.singleton(Authentication.ECDH))); + moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.RSA))); + moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.PSK))); + moveToEnd(result, filterByKeyExchange(result, Collections.singleton(KeyExchange.KRB5))); + /* RC4 is sort-of broken -- move the the end */ + moveToEnd(result, filterByEncryption(result, Collections.singleton(Encryption.RC4))); + return strengthSort(result); + } + + static Set<Ciphers> filterByStrengthBits(Set<Ciphers> ciphers, int strength_bits) { + Set<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size()); + for (Ciphers cipher : ciphers) { + if (cipher.getStrength_bits() == strength_bits) { + result.add(cipher); + } + } + return result; + } + + static Set<Ciphers> filterByProtocol(Set<Ciphers> ciphers, Set<Protocol> protocol) { + return filter(ciphers, protocol, null, null, null, null, null); + } + + static Set<Ciphers> filterByKeyExchange(Set<Ciphers> ciphers, Set<KeyExchange> kx) { + return filter(ciphers, null, kx, null, null, null, null); + } + + static Set<Ciphers> filterByAuthentication(Set<Ciphers> ciphers, Set<Authentication> au) { + return filter(ciphers, null, null, au, null, null, null); + } + + static Set<Ciphers> filterByEncryption(Set<Ciphers> ciphers, Set<Encryption> enc) { + return filter(ciphers, null, null, null, enc, null, null); + } + + static Set<Ciphers> filterByEncryptionLevel(Set<Ciphers> ciphers, Set<EncryptionLevel> level) { + return filter(ciphers, null, null, null, null, level, null); + } + + static Set<Ciphers> filterByMessageDigest(Set<Ciphers> ciphers, Set<MessageDigest> mac) { + return filter(ciphers, null, null, null, null, null, mac); + } + + static Set<Ciphers> filter(Set<Ciphers> ciphers, Set<Protocol> protocol, Set<KeyExchange> kx, + Set<Authentication> au, Set<Encryption> enc, Set<EncryptionLevel> level, Set<MessageDigest> mac) { + Set<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size()); + for (Ciphers cipher : ciphers) { + if (protocol != null && protocol.contains(cipher.getProtocol())) { + result.add(cipher); + } + if (kx != null && kx.contains(cipher.getKx())) { + result.add(cipher); + } + if (au != null && au.contains(cipher.getAu())) { + result.add(cipher); + } + if (enc != null && enc.contains(cipher.getEnc())) { + result.add(cipher); + } + if (level != null && level.contains(cipher.getLevel())) { + result.add(cipher); + } + if (mac != null && mac.contains(cipher.getMac())) { + result.add(cipher); + } + } + return result; + } + + static LinkedHashSet<Ciphers> parse(String expression) { + if (!initialized) { + init(); + } + String[] elements = expression.split(SEPARATOR); + LinkedHashSet<Ciphers> ciphers = new LinkedHashSet<Ciphers>(); + Set<Ciphers> removedCiphers = new HashSet<Ciphers>(); + for (String element : elements) { + if (element.startsWith(DELETE)) { + String alias = element.substring(1); + if (aliases.containsKey(alias)) { + remove(ciphers, alias); + } + } else if (element.startsWith(EXCLUDE)) { + String alias = element.substring(1); + if (aliases.containsKey(alias)) { + removedCiphers.addAll(aliases.get(alias)); + } else { + CoyoteLogger.UTIL_LOGGER.warn("Unknown element " + alias); + } + } else if (element.startsWith(TO_END)) { + String alias = element.substring(1); + if (aliases.containsKey(alias)) { + moveToEnd(ciphers, alias); + } + } else if ("@STRENGTH".equals(element)) { + strengthSort(ciphers); + break; + } else if (aliases.containsKey(element)) { + add(ciphers, element); + } + } + ciphers.removeAll(removedCiphers); + return defaultSort(ciphers); + } + + static List<String> convertForJSSE(Collection<Ciphers> ciphers) { + List<String> result = new ArrayList<String>(ciphers.size()); + for (Ciphers cipher : ciphers) { + result.add(cipher.name()); + } + return result; + } + + /** + * Parse the specified expression according to the OpenSSL syntax and returns a list of standard cipher names. + * @param expression: the openssl expression to define a list of cipher. + * @return the corresponding list of ciphers. + */ + public static List<String> parseExpression(String expression) { + return convertForJSSE(parse(expression)); + } + + static String displayResult(Set<Ciphers> ciphers, String separator) { + if (ciphers.isEmpty()) { + return ""; + } + StringBuilder builder = new StringBuilder(ciphers.size() * 16); + for (Ciphers cipher : ciphers) { + builder.append(cipher.getOpenSSLAlias()); + builder.append(separator); + } + return builder.toString().substring(0, builder.length() - 1); + } +} Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java (rev 0) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java 2014-05-22 09:02:55 UTC (rev 2413) @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2014 Red Hat, inc., and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ +package org.apache.tomcat.util.net.jsse.openssl; + +/** + * + * @author <a href="mailto:ehugonne@redhat.com">Emmanuel Hugonnet</a> (c) 2014 Red Hat, inc. + */ +enum Protocol { + SSLv3, SSLv2, TLSv1, TLSv1_2; +}

10 years, 8 months

1
0
0 / 0

JBossWeb SVN: r2412 - branches/7.4.x/src/main/java/org/apache/coyote/http11.

by jbossweb-commits＠lists.jboss.org

Author: remy.maucherat(a)jboss.com Date: 2014-05-15 05:50:43 -0400 (Thu, 15 May 2014) New Revision: 2412 Modified: branches/7.4.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java Log: BZ1097763: Identify apparently missing code in non blocking mode to make sure the data can fit in the buffer, so possible fix. Modified: branches/7.4.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2014-05-02 14:10:48 UTC (rev 2411) +++ branches/7.4.x/src/main/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2014-05-15 09:50:43 UTC (rev 2412) @@ -118,6 +118,14 @@ if (nBytes > 0) { bbuf.flip(); + if (nBytes > (buf.length - end)) { + // An alternative is to bbuf.limit(buf.length - end) before the read, + // which may be less efficient + buf = new byte[buf.length]; + end = 0; + pos = end; + lastValid = pos; + } bbuf.get(buf, pos, nBytes); lastValid = pos + nBytes; semaphore.release(); @@ -456,7 +464,7 @@ if (nRead > 0) { bbuf.flip(); if (nRead > (buf.length - end)) { - // An alternative is to bbuf.setLimit(buf.length - end) before the read, + // An alternative is to bbuf.limit(buf.length - end) before the read, // which may be less efficient buf = new byte[buf.length]; end = 0; @@ -486,6 +494,8 @@ throw MESSAGES.requestHeaderTooLarge(); } } else { + // Alternative to buffer reallocation + // bbuf.limit(buf.length - end); pos = end; lastValid = pos; }

10 years, 8 months

1
0
0 / 0

JBossWeb SVN: r2411 - branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/src/main/java/org/apache/tomcat/util/net.

by jbossweb-commits＠lists.jboss.org

Author: aogburn Date: 2014-05-02 10:10:48 -0400 (Fri, 02 May 2014) New Revision: 2411 Modified: branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/src/main/java/org/apache/tomcat/util/net/NioEndpoint.java Log: [BZ-1093718] commit merged fix Modified: branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/src/main/java/org/apache/tomcat/util/net/NioEndpoint.java =================================================================== --- branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/src/main/java/org/apache/tomcat/util/net/NioEndpoint.java 2014-05-02 13:03:49 UTC (rev 2410) +++ branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/src/main/java/org/apache/tomcat/util/net/NioEndpoint.java 2014-05-02 14:10:48 UTC (rev 2411) @@ -1028,8 +1028,14 @@ @Override public void run() { try { - Handler.SocketState state = ((status == null) ? handler.process(channel) : handler - .event(channel, status)); + Handler.SocketState state = null; + if (status == null) { + state = handler.process(channel); + } else { + synchronized (channel) { + state = handler.event(channel, status); + } + } if (state == SocketState.CLOSED) { closeChannel(channel); Property changes on: branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/src/main/java/org/apache/tomcat/util/net/NioEndpoint.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/tomcat/util/net/NioEndpoint.java:2405

10 years, 8 months

1
0
0 / 0

JBossWeb SVN: r2410 - branches.

by jbossweb-commits＠lists.jboss.org

Author: aogburn Date: 2014-05-02 09:03:49 -0400 (Fri, 02 May 2014) New Revision: 2410 Added: branches/JBOSSWEB_7_2_2_FINAL_BZ-1093718/ Log: [BZ-1093718] create one-off branch

10 years, 8 months

1
0
0 / 0

← Newer
1
2
3
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

jbossweb-commits May 2014