Author: remy.maucherat(a)jboss.com
Date: 2014-05-22 05:02:55 -0400 (Thu, 22 May 2014)
New Revision: 2413
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java
Modified:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java
Log:
BZ1078204: Support OpenSSL syntax for ciphers, and change the default cipher suite.
Submitted by Emmanuel Hugonnet.
Modified:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2014-05-15
09:50:43 UTC (rev 2412)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -205,59 +205,9 @@
String[] enabledCiphers = null;
if (requestedCiphers != null) {
- Vector vec = null;
- String cipher = requestedCiphers;
- int index = requestedCiphers.indexOf(',');
- if (index != -1) {
- int fromIndex = 0;
- while (index != -1) {
- cipher = requestedCiphers.substring(fromIndex, index).trim();
- if (cipher.length() > 0) {
- /*
- * Check to see if the requested cipher is among the
- * supported ciphers, i.e., may be enabled
- */
- for (int i=0; supportedCiphers != null
- && i<supportedCiphers.length; i++) {
- if (supportedCiphers[i].equals(cipher)) {
- if (vec == null) {
- vec = new Vector();
- }
- vec.addElement(cipher);
- break;
- }
- }
- }
- fromIndex = index+1;
- index = requestedCiphers.indexOf(',', fromIndex);
- } // while
- cipher = requestedCiphers.substring(fromIndex);
- }
-
- if (cipher != null) {
- cipher = cipher.trim();
- if (cipher.length() > 0) {
- /*
- * Check to see if the requested cipher is among the
- * supported ciphers, i.e., may be enabled
- */
- for (int i=0; supportedCiphers != null
- && i<supportedCiphers.length; i++) {
- if (supportedCiphers[i].equals(cipher)) {
- if (vec == null) {
- vec = new Vector();
- }
- vec.addElement(cipher);
- break;
- }
- }
- }
- }
-
- if (vec != null) {
- enabledCiphers = new String[vec.size()];
- vec.copyInto(enabledCiphers);
- } else {
+ String[] ciphers = requestedCiphers.split(",");
+ enabledCiphers = JSSEUtils.getEnabledCiphers(ciphers, supportedCiphers);
+ if(enabledCiphers == null || enabledCiphers.length == 0) {
throw new IOException(MESSAGES.noCipherMatch()); // Like openssl.
}
} else {
Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java
(rev 0)
+++ branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/JSSEUtils.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ *
+ * Copyright 2011 Red Hat, Inc. and/or its affiliates, and individual
+ * contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *
http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.net.jsse;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser;
+
+/**
+ * Utility methods.
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+public final class JSSEUtils {
+
+ public static String[] getEnabledCiphers(final String[] cipherSuites, final String[]
supportedCiphers) {
+ return resolveEnabledCipherSuite(cipherSuites, new
HashSet<String>(Arrays.asList(supportedCiphers)));
+ }
+
+ static String[] resolveEnabledCipherSuite(final String[] cipherSuites, final
Set<String> supportedCiphers) {
+ Set<String> result = new LinkedHashSet<String>();
+ if (cipherSuites.length == 1) {
+ List<String> enabledCiphers =
OpenSSLCipherConfigurationParser.parseExpression(cipherSuites[0]);
+ for (String enabledCipher : enabledCiphers) {
+ if (supportedCiphers.contains(enabledCipher)) {
+ result.add(enabledCipher);
+ }
+ }
+ } else {
+ for (String enabledCipher : cipherSuites) {
+ if (supportedCiphers.contains(enabledCipher)) {
+ result.add(enabledCipher);
+ }
+ }
+ }
+ return result.toArray(new String[result.size()]);
+ }
+
+}
Modified:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java 2014-05-15
09:50:43 UTC (rev 2412)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/NioJSSESocketChannelFactory.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -345,61 +345,13 @@
String[] enabledCiphers = null;
SSLServerSocketFactory sslProxy = sslContext.getServerSocketFactory();
if (requestedCiphers != null) {
- Vector<Object> vec = null;
- String cipher = requestedCiphers;
- int index = requestedCiphers.indexOf(',');
- if (index != -1) {
- int fromIndex = 0;
- while (index != -1) {
- cipher = requestedCiphers.substring(fromIndex, index).trim();
- if (cipher.length() > 0) {
- /*
- * Check to see if the requested cipher is among the
- * supported ciphers, i.e., may be enabled
- */
- for (int i = 0; supportedCiphers != null && i < supportedCiphers.length;
i++) {
- if (supportedCiphers[i].equals(cipher)) {
- if (vec == null) {
- vec = new Vector<Object>();
- }
- vec.addElement(cipher);
- break;
- }
- }
- }
- fromIndex = index + 1;
- index = requestedCiphers.indexOf(',', fromIndex);
- } // while
- cipher = requestedCiphers.substring(fromIndex);
- }
-
- if (cipher != null) {
- cipher = cipher.trim();
- if (cipher.length() > 0) {
- /*
- * Check to see if the requested cipher is among the
- * supported ciphers, i.e., may be enabled
- */
- for (int i = 0; supportedCiphers != null && i < supportedCiphers.length;
i++) {
- if (supportedCiphers[i].equals(cipher)) {
- if (vec == null) {
- vec = new Vector<Object>();
- }
- vec.addElement(cipher);
- break;
- }
- }
- }
- }
-
- if (vec != null) {
- enabledCiphers = new String[vec.size()];
- vec.copyInto(enabledCiphers);
- } else {
- throw new IOException(MESSAGES.noCipherMatch()); // Like openssl.
- }
+ String[] ciphers = requestedCiphers.split(",");
+ enabledCiphers = JSSEUtils.getEnabledCiphers(ciphers,
supportedCiphers);
+ if(enabledCiphers == null || enabledCiphers.length == 0) {
+ throw new IOException(MESSAGES.noCipherMatch()); // Like openssl.
+ }
} else {
- enabledCiphers = sslProxy.getDefaultCipherSuites();
+ enabledCiphers = sslProxy.getDefaultCipherSuites();
}
return enabledCiphers;
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+enum Authentication {
+ RSA /* RSA auth */,
+ DSS /* DSS auth */,
+ aNULL /* no auth (i.e. use ADH or AECDH) */,
+ DH /* Fixed DH auth (kDHd or kDHr) */,
+ ECDH /* Fixed ECDH auth (kECDHe or kECDHr) */,
+ KRB5 /* KRB5 auth */,
+ ECDSA/* ECDSA auth*/,
+ PSK /* PSK auth */,
+ GOST94 /* GOST R 34.10-94 signature auth */,
+ GOST01 /* GOST R 34.10-2001 */,
+ FZA /* Fortezza */;
+}
Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,2304 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ * All Ciphers for SSL/TSL.
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+enum Ciphers {
+ /* The RSA ciphers */
+ // Cipher 01
+ SSL_RSA_WITH_NULL_MD5("NULL-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eNULL,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ false,
+ 0,
+ 0),
+ // Cipher 02
+ SSL_RSA_WITH_NULL_SHA("NULL-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0),
+ // Cipher 03
+ SL_RSA_EXPORT_WITH_RC4_40_MD5("EXP-RC4-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 04
+ SSL_RSA_WITH_RC4_128_MD5("RC4-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 05
+ SSL_RSA_WITH_RC4_128_SHA("RC4-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 06
+ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5("EXP-RC2-CBC-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC2,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 07
+ SSL_RSA_WITH_IDEA_CBC_SHA("IDEA-CBC-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.IDEA,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 08
+ SSL_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DES-CBC-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 09
+ SSL_RSA_WITH_DES_CBC_SHA("DES-CBC-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 0A
+ SSL_RSA_WITH_3DES_EDE_CBC_SHA("DES-CBC3-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ /* The DH ciphers */
+ // Cipher 0B
+ SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-DSS-DES-CBC-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 0C
+ SSL_DH_DSS_WITH_DES_CBC_SHA("DH-DSS-DES-CBC-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 0D
+ SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA("DH-DSS-DES-CBC3-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ // Cipher 0E
+ SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-RSA-DES-CBC-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 0F
+ SSL_DH_RSA_WITH_DES_CBC_SHA("DH-RSA-DES-CBC-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 10
+ SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA("DH-RSA-DES-CBC3-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ /* The Ephemeral DH ciphers */
+ // Cipher 11
+ SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-DSS-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 12
+ SSL_DHE_DSS_WITH_DES_CBC_SHA("EDH-DSS-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 13
+ SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA("EDH-DSS-DES-CBC3-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ // Cipher 14
+ TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-RSA-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 15
+ TLS_DHE_RSA_WITH_DES_CBC_SHA("EDH-RSA-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 16
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA("EDH-RSA-DES-CBC3-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ // Cipher 17
+ TLS_DH_anon_EXPORT_WITH_RC4_40_MD5("EXP-ADH-RC4-MD5",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 18
+ TLS_DH_anon_WITH_RC4_128_MD5("ADH-RC4-MD5",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 19
+ TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA("EXP-ADH-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 1A
+ TLS_DH_anon_WITH_DES_CBC_SHA("ADH-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 1B
+ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA("ADH-DES-CBC3-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ /* Fortezza ciphersuite from SSL 3.0 spec */
+ // Cipher 1C
+ SSL_FORTEZZA_DMS_WITH_NULL_SHA("FZA-NULL-SHA",
+ KeyExchange.FZA,
+ Authentication.FZA,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ false,
+ 0,
+ 0),
+ // Cipher 1D
+ SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA("FZA-FZA-CBC-SHA",
+ KeyExchange.FZA,
+ Authentication.FZA,
+ Encryption.FZA,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ false,
+ 0,
+ 0),
+ // Cipher 1E
+ SSL_FORTEZZA_DMS_WITH_RC4_128_SHA("FZA-RC4-SHA",
+ KeyExchange.FZA,
+ Authentication.FZA,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ /* The Kerberos ciphers*/
+ // Cipher 1E
+ /*TLS_KRB5_WITH_DES_CBC_SHA("KRB5-DES-CBC-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 1F
+ TLS_KRB5_WITH_3DES_EDE_CBC_SHA("KRB5-DES-CBC3-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168),
+ // Cipher 20
+ TLS_KRB5_WITH_RC4_128_SHA("KRB5-RC4-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 21
+ TLS_KRB5_WITH_IDEA_CBC_SHA("KRB5-IDEA-CBC-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.IDEA,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 22
+ TLS_KRB5_WITH_DES_CBC_MD5("KRB5-DES-CBC-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.DES,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56),
+ // Cipher 23
+ TLS_KRB5_WITH_3DES_EDE_CBC_MD5("KRB5-DES-CBC3-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.TRIPLE_DES,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 168,
+ 168),
+ // Cipher 24
+ TLS_KRB5_WITH_RC4_128_MD5("KRB5-RC4-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 25
+ TLS_KRB5_WITH_IDEA_CBC_MD5("KRB5-IDEA-CBC-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.IDEA,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 26
+ TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA("EXP-KRB5-DES-CBC-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 27
+ TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA("EXP-KRB5-RC2-CBC-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.RC2,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 28
+ TLS_KRB5_EXPORT_WITH_RC4_40_SHA("EXP-KRB5-RC4-SHA",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 29
+ TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5("EXP-KRB5-DES-CBC-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.DES,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 56),
+ // Cipher 2A
+ TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5("EXP-KRB5-RC2-CBC-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.RC2,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),
+ // Cipher 2B
+ TLS_KRB5_EXPORT_WITH_RC4_40_MD5("EXP-KRB5-RC4-MD5",
+ KeyExchange.KRB5,
+ Authentication.KRB5,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv3,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128),*/
+ /* New AES ciphersuites */
+ // Cipher 2F
+ TLS_RSA_WITH_AES_128_CBC_SHA("AES128-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 30
+ TLS_DH_DSS_WITH_AES_128_CBC_SHA("DH-DSS-AES128-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 31
+ TLS_DH_RSA_WITH_AES_128_CBC_SHA("DH-RSA-AES128-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 32
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA("DHE-DSS-AES128-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 33
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA("DHE-RSA-AES128-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 34
+ TLS_DH_anon_WITH_AES_128_CBC_SHA("ADH-AES128-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 35
+ TLS_RSA_WITH_AES_256_CBC_SHA("AES256-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 36
+ TLS_DH_DSS_WITH_AES_256_CBC_SHA("DH-DSS-AES256-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 37
+ TLS_DH_RSA_WITH_AES_256_CBC_SHA("DH-RSA-AES256-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 38
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA("DHE-DSS-AES256-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 39
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA("DHE-RSA-AES256-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256), // Cipher 3A
+ TLS_DH_anon_WITH_AES_256_CBC_SHA("ADH-AES256-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ /* TLS v1.2 ciphersuites */
+ // Cipher 3B
+ TLS_RSA_WITH_NULL_SHA256("NULL-SHA256",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eNULL,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0),
+ // Cipher 3C
+ TLS_RSA_WITH_AES_128_CBC_SHA256("AES128-SHA256",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 3D
+ TLS_RSA_WITH_AES_256_CBC_SHA256("AES256-SHA256",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 3E
+ TLS_DH_DSS_WITH_AES_128_CBC_SHA256("DH-DSS-AES128-SHA256",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 3F
+ TLS_DH_RSA_WITH_AES_128_CBC_SHA256("DH-RSA-AES128-SHA256",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 40
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256("DHE-DSS-AES128-SHA256",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ /* Camellia ciphersuites from RFC4132 (128-bit portion) */
+ // Cipher 41
+ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA("CAMELLIA128-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.CAMELLIA128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128),
+ // Cipher 42
+ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA("DH-DSS-CAMELLIA128-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.CAMELLIA128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128),
+ // Cipher 43
+ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA("DH-RSA-CAMELLIA128-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.CAMELLIA128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128),
+ // Cipher 44
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA("DHE-DSS-CAMELLIA128-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.CAMELLIA128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128),
+ // Cipher 45
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA("DHE-RSA-CAMELLIA128-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.CAMELLIA128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128),
+ // Cipher 46
+ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA("ADH-CAMELLIA128-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.CAMELLIA128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128),
+ /* New TLS Export CipherSuites from expired ID */
+ // Cipher 60
+ SSL_RSA_EXPORT1024_WITH_RC4_56_MD5("EXP1024-RC4-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.TLSv1,
+ true,
+ EncryptionLevel.EXP56,
+ false,
+ 56,
+ 128),
+ // Cipher 61
+ SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD("EXP1024-RC2-CBC-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC2,
+ MessageDigest.MD5,
+ Protocol.TLSv1,
+ true,
+ EncryptionLevel.EXP56,
+ false,
+ 56,
+ 128),
+ // Cipher 62
+ SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA("EXP1024-DES-CBC-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ true,
+ EncryptionLevel.EXP56,
+ false,
+ 56,
+ 56),
+ // Cipher 63
+ SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA("EXP1024-DHE-DSS-DES-CBC-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ true,
+ EncryptionLevel.EXP56,
+ false,
+ 56,
+ 56),
+ // Cipher 64
+ SSL_RSA_EXPORT1024_WITH_RC4_56_SHA("EXP1024-RC4-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ true,
+ EncryptionLevel.EXP56,
+ false,
+ 56,
+ 128),
+ // Cipher 65
+ SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA("EXP1024-DHE-DSS-RC4-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ true,
+ EncryptionLevel.EXP56,
+ false,
+ 56,
+ 128),
+ // Cipher 66
+ SSL_DHE_DSS_WITH_RC4_128_SHA("DHE-DSS-RC4-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ /* TLS v1.2 ciphersuites */
+ // Cipher 67
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256("DHE-RSA-AES128-SHA256",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128),
+ // Cipher 68
+ TLS_DH_DSS_WITH_AES_256_CBC_SHA256("DH-DSS-AES256-SHA256",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.AES256,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 69
+ TLS_DH_RSA_WITH_AES_256_CBC_SHA256("DH-RSA-AES256-SHA256",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.AES256,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 6A
+ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256("DHE-DSS-AES256-SHA256",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.AES256,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 6B
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256("DHE-RSA-AES256-SHA256",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ // Cipher 6C
+ TLS_DH_anon_WITH_AES_128_CBC_SHA256("ADH-AES128-SHA256",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher 6D
+ TLS_DH_anon_WITH_AES_256_CBC_SHA256("ADH-AES256-SHA256",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.AES256,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256),
+ /* GOST Ciphersuites */
+ TLS_GOSTR341094_WITH_28147_CNT_IMIT("GOST94-GOST89-GOST89",
+ KeyExchange.GOST,
+ Authentication.GOST94,
+ Encryption.eGOST2814789CNT,
+ MessageDigest.GOST89MAC,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ TLS_GOSTR341001_WITH_28147_CNT_IMIT("GOST2001-GOST89-GOST89",
+ KeyExchange.GOST,
+ Authentication.GOST01,
+ Encryption.eGOST2814789CNT,
+ MessageDigest.GOST89MAC,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ TLS_GOSTR341094_WITH_NULL_GOSTR3411("GOST94-NULL-GOST94",
+ KeyExchange.GOST,
+ Authentication.GOST94,
+ Encryption.eNULL,
+ MessageDigest.GOST94,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ false,
+ 0,
+ 0),
+ TLS_GOSTR341001_WITH_NULL_GOSTR3411("GOST2001-NULL-GOST94",
+ KeyExchange.GOST,
+ Authentication.GOST01,
+ Encryption.eNULL,
+ MessageDigest.GOST94,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ false,
+ 0,
+ 0),
+ /* Camellia ciphersuites from RFC4132 (256-bit portion) */
+ // Cipher 84
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA("CAMELLIA256-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.CAMELLIA256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ // Cipher 85
+ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA("DH-DSS-CAMELLIA256-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.CAMELLIA256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ // Cipher 86
+ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SH("DH-RSA-CAMELLIA256-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.CAMELLIA256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ // Cipher 87
+ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA("DHE-DSS-CAMELLIA256-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.CAMELLIA256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ // Cipher 88
+ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA("DHE-RSA-CAMELLIA256-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.CAMELLIA256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256), // Cipher 89
+ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA("ADH-CAMELLIA256-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.CAMELLIA256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256),
+ // Cipher 8A
+ TLS_PSK_WITH_RC4_128_SHA("PSK-RC4-SHA",
+ KeyExchange.PSK,
+ Authentication.PSK,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128),
+ // Cipher 8B
+ TLS_PSK_WITH_3DES_EDE_CBC_SHA("PSK-3DES-EDE-CBC-SHA",
+ KeyExchange.PSK,
+ Authentication.PSK,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168
+ ),
+ // Cipher 8C
+ TLS_PSK_WITH_AES_128_CBC_SHA("PSK-AES128-CBC-SHA",
+ KeyExchange.PSK,
+ Authentication.PSK,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher 8D
+ TLS_PSK_WITH_AES_256_CBC_SHA("PSK-AES256-CBC-SHA",
+ KeyExchange.PSK,
+ Authentication.PSK,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ /* SEED ciphersuites from RFC4162 */
+ // Cipher 96
+ TLS_RSA_WITH_SEED_CBC_SHA("SEED-SHA",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.SEED,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher 97
+ TLS_DH_DSS_WITH_SEED_CBC_SHA("DH-DSS-SEED-SHA",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.SEED,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher 98
+ TLS_DH_RSA_WITH_SEED_CBC_SHA("DH-RSA-SEED-SHA",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.SEED,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher 99
+ TLS_DHE_DSS_WITH_SEED_CBC_SHA("DHE-DSS-SEED-SHA",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.SEED,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher 9A
+ TLS_DHE_RSA_WITH_SEED_CBC_SHA("DHE-RSA-SEED-SHA",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.SEED,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher 9B
+ TLS_DH_anon_WITH_SEED_CBC_SHA("ADH-SEED-SHA",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.SEED,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ /* GCM ciphersuites from RFC5288 */
+ // Cipher 9C
+ TLS_RSA_WITH_AES_128_GCM_SHA256("AES128-GCM-SHA256",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher 9D
+ TLS_RSA_WITH_AES_256_GCM_SHA384("AES256-GCM-SHA384",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher 9E
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256("DHE-RSA-AES128-GCM-SHA256",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher 9F
+ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384("DHE-RSA-AES256-GCM-SHA384",
+ KeyExchange.EDH,
+ Authentication.RSA,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher A0
+ TLS_DH_RSA_WITH_AES_128_GCM_SHA256("DH-RSA-AES128-GCM-SHA256",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher A1
+ TLS_DH_RSA_WITH_AES_256_GCM_SHA384("DH-RSA-AES256-GCM-SHA384",
+ KeyExchange.DHr,
+ Authentication.DH,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher A2
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256("DHE-DSS-AES128-GCM-SHA256",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher A3
+ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384("DHE-DSS-AES256-GCM-SHA384",
+ KeyExchange.EDH,
+ Authentication.DSS,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher A4
+ TLS_DH_DSS_WITH_AES_128_GCM_SHA256("DH-DSS-AES128-GCM-SHA256",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher A5
+ TLS_DH_DSS_WITH_AES_256_GCM_SHA384("DH-DSS-AES256-GCM-SHA384",
+ KeyExchange.DHd,
+ Authentication.DH,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher A6
+ TLS_DH_anon_WITH_AES_128_GCM_SHA256("ADH-AES128-GCM-SHA256",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher A7
+ TLS_DH_anon_WITH_AES_256_GCM_SHA384("ADH-AES256-GCM-SHA384",
+ KeyExchange.EDH,
+ Authentication.aNULL,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ /* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+ // Cipher C001
+ TLS_ECDH_ECDSA_WITH_NULL_SHA("ECDH-ECDSA-NULL-SHA",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0
+ ),
+ // Cipher C002
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA("ECDH-ECDSA-RC4-SHA",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C003
+ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA("ECDH-ECDSA-DES-CBC3-SHA",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168
+ ),
+ // Cipher C004
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA("ECDH-ECDSA-AES128-SHA",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C005
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA("ECDH-ECDSA-AES256-SHA",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C006
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA("ECDHE-ECDSA-NULL-SHA",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0
+ ),
+ // Cipher C007
+ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA("ECDHE-ECDSA-RC4-SHA",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C008
+ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA("ECDHE-ECDSA-DES-CBC3-SHA",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168
+ ),
+ // Cipher C009
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA("ECDHE-ECDSA-AES128-SHA",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C00A
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA("ECDHE-ECDSA-AES256-SHA",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C00B
+ TLS_ECDH_RSA_WITH_NULL_SHA("ECDH-RSA-NULL-SHA",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0
+ ),
+ // Cipher C00C
+ TLS_ECDH_RSA_WITH_RC4_128_SHA("ECDH-RSA-RC4-SHA",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C00D
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA("ECDH-RSA-DES-CBC3-SHA",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168
+ ),
+ // Cipher C00E
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA("ECDH-RSA-AES128-SHA",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C00F
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA("ECDH-RSA-AES256-SHA",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ TLS_ECDHE_RSA_WITH_NULL_SHA("ECDHE-RSA-NULL-SHA",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0
+ ),
+ // Cipher C011
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA("ECDHE-RSA-RC4-SHA",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C012
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA("ECDHE-RSA-DES-CBC3-SHA",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168
+ ),
+ // Cipher C013
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA("ECDHE-RSA-AES128-SHA",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C014
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA("ECDHE-RSA-AES256-SHA",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C015
+ TLS_ECDH_anon_WITH_NULL_SHA("AECDH-NULL-SHA",
+ KeyExchange.EECDH,
+ Authentication.aNULL,
+ Encryption.eNULL,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.STRONG_NONE,
+ true,
+ 0,
+ 0
+ ),
+ // Cipher C016
+ TLS_ECDH_anon_WITH_RC4_128_SHA("AECDH-RC4-SHA",
+ KeyExchange.EECDH,
+ Authentication.aNULL,
+ Encryption.RC4,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C017
+ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA("AECDH-DES-CBC3-SHA",
+ KeyExchange.EECDH,
+ Authentication.aNULL,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 168,
+ 168
+ ),
+ // Cipher C018
+ TLS_ECDH_anon_WITH_AES_128_CBC_SHA("AECDH-AES128-SHA",
+ KeyExchange.EECDH,
+ Authentication.aNULL,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C019
+ TLS_ECDH_anon_WITH_AES_256_CBC_SHA("AECDH-AES256-SHA",
+ KeyExchange.EECDH,
+ Authentication.aNULL,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ /* SRP ciphersuite from RFC 5054 */
+ // Cipher C01A
+ TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA("SRP-3DES-EDE-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.aNULL,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 168,
+ 168
+ ),
+ // Cipher C01B
+ TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA("SRP-RSA-3DES-EDE-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.RSA,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 168,
+ 168
+ ),
+ // Cipher C01C
+ TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA("SRP-DSS-3DES-EDE-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.DSS,
+ Encryption.TRIPLE_DES,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 168,
+ 168
+ ),
+ // Cipher C01D
+ TLS_SRP_SHA_WITH_AES_128_CBC_SHA("SRP-AES-128-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.aNULL,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C01E
+ TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA("SRP-RSA-AES-128-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C01F
+ TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA("SRP-DSS-AES-128-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.DSS,
+ Encryption.AES128,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 128,
+ 128
+ ),
+ // Cipher C020
+ TLS_SRP_SHA_WITH_AES_256_CBC_SHA("SRP-AES-256-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.aNULL,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256
+ ),
+ // Cipher C021
+ TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA("SRP-RSA-AES-256-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256
+ ),
+ // Cipher C022
+ TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA("SRP-DSS-AES-256-CBC-SHA",
+ KeyExchange.SRP,
+ Authentication.DSS,
+ Encryption.AES256,
+ MessageDigest.SHA1,
+ Protocol.TLSv1,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 256,
+ 256
+ ),
+ /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
+ // Cipher C023
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256("ECDHE-ECDSA-AES128-SHA256",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C024
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384("ECDHE-ECDSA-AES256-SHA384",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.AES256,
+ MessageDigest.SHA384,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C025
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256("ECDH-ECDSA-AES128-SHA256",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C026
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384("ECDH-ECDSA-AES256-SHA384",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.AES256,
+ MessageDigest.SHA384,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C027
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256("ECDHE-RSA-AES128-SHA256",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C028
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384("ECDHE-RSA-AES256-SHA384",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.AES256,
+ MessageDigest.SHA384,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C029
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256("ECDH-RSA-AES128-SHA256",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.AES128,
+ MessageDigest.SHA256,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C02A
+ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384("ECDH-RSA-AES256-SHA384",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.AES256,
+ MessageDigest.SHA384,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ /* GCM based TLS v1.2 ciphersuites from RFC5289 */
+ // Cipher C02B
+ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256("ECDHE-ECDSA-AES128-GCM-SHA256",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C02C
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384("ECDHE-ECDSA-AES256-GCM-SHA384",
+ KeyExchange.EECDH,
+ Authentication.ECDSA,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C02D
+ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256("ECDH-ECDSA-AES128-GCM-SHA256",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C02E
+ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384("ECDH-ECDSA-AES256-GCM-SHA384",
+ KeyExchange.ECDHe,
+ Authentication.ECDH,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C02F
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256("ECDHE-RSA-AES128-GCM-SHA256",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C030
+ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384("ECDHE-RSA-AES256-GCM-SHA384",
+ KeyExchange.EECDH,
+ Authentication.RSA,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // Cipher C031
+ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256("ECDH-RSA-AES128-GCM-SHA256",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.AES128GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 128,
+ 128
+ ),
+ // Cipher C032
+ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384("ECDH-RSA-AES256-GCM-SHA384",
+ KeyExchange.ECDHr,
+ Authentication.ECDH,
+ Encryption.AES256GCM,
+ MessageDigest.AEAD,
+ Protocol.TLSv1_2,
+ false,
+ EncryptionLevel.HIGH,
+ true,
+ 256,
+ 256
+ ),
+ // RC4_128_WITH_MD5
+ SSL_CK_RC4_128_WITH_MD5("RC4-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // RC4_128_EXPORT40_WITH_MD5
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5("EXP-RC4-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC4,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128
+ ),
+ // RC2_128_CBC_WITH_MD5
+ SSL_CK_RC2_128_CBC_WITH_MD5("RC2-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC2,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ false,
+ EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // RC2_128_CBC_EXPORT40_WITH_MD5
+ SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5("EXP-RC2-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.RC2,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ true,
+ EncryptionLevel.EXP40,
+ false,
+ 40,
+ 128
+ ),
+ // IDEA_128_CBC_WITH_MD5
+ SSL_CK_IDEA_128_CBC_WITH_MD5("IDEA-CBC-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.IDEA,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ false, EncryptionLevel.MEDIUM,
+ false,
+ 128,
+ 128
+ ),
+ // DES_64_CBC_WITH_MD5
+ SSL_CK_DES_64_CBC_WITH_MD5("DES-CBC-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.DES,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ false,
+ EncryptionLevel.LOW,
+ false,
+ 56,
+ 56
+ ),
+ // DES_192_EDE3_CBC_WITH_MD5
+ SSL_CK_DES_192_EDE3_CBC_WITH_MD5("DES-CBC3-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.TRIPLE_DES,
+ MessageDigest.MD5,
+ Protocol.SSLv2,
+ false,
+ EncryptionLevel.HIGH,
+ false,
+ 168,
+ 168
+ );
+
+ /* TEMP_GOST_TLS*/
+ /*
+ // Cipher FF00
+ TLS_GOSTR341094_RSA_WITH_28147_CNT_MD5("GOST-MD5",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eGOST2814789CNT,
+ MessageDigest.MD5,
+ Protocol.TLSv1,
+ false, EncryptionLevel.HIGH,false,
+
+ 256,
+ 256,
+ ),
+ TLS_RSA_WITH_28147_CNT_GOST94(
+ "GOST-GOST94",
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eGOST2814789CNT,
+ MessageDigest.GOST94,
+ Protocol.TLSv1,
+ false, EncryptionLevel.HIGH,false,
+
+ 256,
+ 256
+ ),
+ {
+ 1,
+ "GOST-GOST89MAC",
+ 0x0300ff02,
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eGOST2814789CNT,
+ MessageDigest.GOST89MAC,
+ Protocol.TLSv1,
+ false, EncryptionLevel.HIGH,false,
+
+ 256,
+ 256
+ ),
+ {
+ 1,
+ "GOST-GOST89STREAM",
+ 0x0300ff03,
+ KeyExchange.RSA,
+ Authentication.RSA,
+ Encryption.eGOST2814789CNT,
+ MessageDigest.GOST89MAC,
+ Protocol.TLSv1,
+ false, EncryptionLevel.HIGH,false,
+
+ 256,
+ 256
+ };*/
+ private final String openSSLAlias;
+ private final KeyExchange kx;
+ private final Authentication au;
+ private final Encryption enc;
+ private final MessageDigest mac;
+ private final Protocol protocol;
+ private final boolean export;
+ private final EncryptionLevel level;
+ private final boolean fipsCompatible;
+ /**
+ * Number of bits really used
+ */
+ private final int strength_bits;
+ /**
+ * Number of bits for algorithm
+ */
+ private final int alg_bits;
+
+ Ciphers(String openSSLAlias, KeyExchange kx, Authentication au,
+ Encryption enc, MessageDigest mac, Protocol protocol, boolean export,
+ EncryptionLevel level, boolean fipsCompatible, int strength_bits,
+ int alg_bits) {
+ this.openSSLAlias = openSSLAlias;
+ this.kx = kx;
+ this.au = au;
+ this.enc = enc;
+ this.mac = mac;
+ this.protocol = protocol;
+ this.export = export;
+ this.level = level;
+ this.fipsCompatible = fipsCompatible;
+ this.strength_bits = strength_bits;
+ this.alg_bits = alg_bits;
+ }
+
+ public String getOpenSSLAlias() {
+ return openSSLAlias;
+ }
+
+ public KeyExchange getKx() {
+ return kx;
+ }
+
+ public Authentication getAu() {
+ return au;
+ }
+
+ public Encryption getEnc() {
+ return enc;
+ }
+
+ public MessageDigest getMac() {
+ return mac;
+ }
+
+ public Protocol getProtocol() {
+ return protocol;
+ }
+
+ public boolean isExport() {
+ return export;
+ }
+
+ public EncryptionLevel getLevel() {
+ return level;
+ }
+
+ public boolean isFipsCompatible() {
+ return fipsCompatible;
+ }
+
+ public int getStrength_bits() {
+ return strength_bits;
+ }
+
+ public int getAlg_bits() {
+ return alg_bits;
+ }
+
+}
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014
+ * Red Hat, inc.
+ */
+enum Encryption {
+ AES256GCM, AES256, AES128GCM, AES128, CAMELLIA256, CAMELLIA128, TRIPLE_DES, DES,
IDEA, eGOST2814789CNT, SEED, FZA, RC4, RC2, eNULL;
+}
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+enum EncryptionLevel {
+ STRONG_NONE, EXP40, EXP56, LOW, MEDIUM, HIGH, FIPS;
+}
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+enum KeyExchange {
+ EECDH /* ephemeral ECDH */,
+ RSA /* RSA key exchange */,
+ DHr /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */,
+ DHd /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */,
+ EDH /* tmp DH key no DH cert */,
+ PSK /* PSK */,
+ FZA /* Fortezza */ /* no such ciphersuite supported! */,
+ KRB5 /* Kerberos 5 key exchange */,
+ ECDHr /* ECDH cert, RSA CA cert */,
+ ECDHe /* ECDH cert, ECDSA CA cert */,
+ GOST /* GOST key exchange */,
+ SRP /* SRP */;
+}
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+enum MessageDigest {
+ MD5, SHA1, GOST94, GOST89MAC, SHA256, SHA384, AEAD;
+}
Added:
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,582 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.jboss.web.CoyoteLogger;
+
+/**
+ * Class in charge with parsing openSSL expressions to define a list of ciphers.
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+public class OpenSSLCipherConfigurationParser {
+
+ /**
+ * System property key to define the DEFAULT ciphers.
+ */
+ public static final String DEFAULT_EXPRESSION_KEY =
"openssl.default.ciphers";
+
+ private static boolean initialized = false;
+
+ private static final String SEPARATOR = ":";
+ /**
+ * If ! is used then the ciphers are permanently deleted from the list. The ciphers
deleted can never reappear in the list
+ * even if they are explicitly stated.
+ */
+ private final static String EXCLUDE = "!";
+ /**
+ * If - is used then the ciphers are deleted from the list, but some or all of the
ciphers can be added again by later
+ * options.
+ */
+ private static final String DELETE = "-";
+ /**
+ * If + is used then the ciphers are moved to the end of the list. This option
doesn't add any new ciphers it just moves
+ * matching existing ones.
+ */
+ private static final String TO_END = "+";
+ /**
+ * All ciphers by their openssl alias name.
+ */
+ private static final Map<String, List<Ciphers>> aliases = new
LinkedHashMap<String, List<Ciphers>>();
+
+ /**
+ * the 'NULL' ciphers that is those offering no encryption. Because these
offer no encryption at all and are a security risk
+ * they are disabled unless explicitly included.
+ */
+ private static final String eNULL = "eNULL";
+ /**
+ * The cipher suites offering no authentication. This is currently the anonymous DH
algorithms. T These cipher suites are
+ * vulnerable to a 'man in the middle' attack and so their use is normally
discouraged.
+ */
+ private static final String aNULL = "aNULL";
+
+ /**
+ * 'high' encryption cipher suites. This currently means those with key
lengths larger than 128 bits, and some cipher suites
+ * with 128-bit keys.
+ */
+ private static final String HIGH = "HIGH";
+ /**
+ * 'medium' encryption cipher suites, currently some of those using 128 bit
encryption.
+ */
+ private static final String MEDIUM = "MEDIUM";
+ /**
+ * 'low' encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher
+ * suites.
+ */
+ private static final String LOW = "LOW";
+ /**
+ * Export encryption algorithms. Including 40 and 56 bits algorithms.
+ */
+ private static final String EXPORT = "EXPORT";
+ /**
+ * 40 bit export encryption algorithms.
+ */
+ private static final String EXPORT40 = "EXPORT40";
+ /**
+ * 56 bit export encryption algorithms.
+ */
+ private static final String EXPORT56 = "EXPORT56";
+ /**
+ * Cipher suites using RSA key exchange.
+ */
+ private static final String kRSA = "kRSA";
+ /**
+ * Cipher suites using RSA authentication.
+ */
+ private static final String aRSA = "aRSA";
+ /**
+ * Cipher suites using RSA for key exchange or for authentication.
+ */
+ private static final String RSA = "RSA";
+ /**
+ * Cipher suites using ephemeral DH key agreement.
+ */
+ private static final String kEDH = "kEDH";
+ /**
+ * Cipher suites using ephemeral DH key agreement. equivalent to kEDH:-ADH
+ */
+ private static final String EDH = "EDH";
+ /**
+ * Cipher suites using DH key agreement and DH certificates signed by CAs with RSA
keys.
+ */
+ private static final String kDHr = "kDHr";
+ /**
+ * Cipher suites using DH key agreement and DH certificates signed by CAs with DSS
keys.
+ */
+ private static final String kDHd = "kDHd";
+ /**
+ * Cipher suites using DH key agreement and DH certificates signed by CAs with RSA or
DSS keys.
+ */
+ private static final String kDH = "kDH";
+ /**
+ * Cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
+ */
+ private static final String aDSS = "aDSS";
+ /**
+ * Cipher suites effectively using DH authentication, i.e. the certificates carry DH
keys.
+ */
+ private static final String aDH = "aDH";
+ /**
+ * Ciphers suites using FORTEZZA key exchange algorithms.
+ */
+ private static final String kFZA = "kFZA";
+ /**
+ * Ciphers suites using FORTEZZA authentication algorithms.
+ */
+ private static final String aFZA = "aFZA";
+ /**
+ * Ciphers suites using FORTEZZA encryption algorithms.
+ */
+ private static final String eFZA = "eFZA";
+ /**
+ * Ciphers suites using all FORTEZZA algorithms.
+ */
+ private static final String FZA = "FZA";
+ /**
+ * TLS v1.2 cipher suites. Note: there are no cipher suites specific to TLS v1.1.
+ */
+ private static final String TLSv1_2 = "TLSv1_2";
+ /**
+ * TLS v1.0 cipher suites.
+ */
+ private static final String TLSv1 = "TLSv1";
+ /**
+ * SSL v2.0 cipher suites.
+ */
+ private static final String SSLv2 = "SSLv2";
+ /**
+ * SSL v3.0 cipher suites.
+ */
+ private static final String SSLv3 = "SSLv3";
+ /**
+ * Cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
+ */
+ private static final String DH = "DH";
+ /**
+ * Anonymous DH cipher suites.
+ */
+ private static final String ADH = "ADH";
+ /**
+ * Cipher suites using 128 bit AES.
+ */
+ private static final String AES128 = "AES128";
+ /**
+ * Cipher suites using 256 bit AE.
+ */
+ private static final String AES256 = "AES256";
+ /**
+ * Cipher suites using either 128 or 256 bit AES.
+ */
+ private static final String AES = "AES";
+ /**
+ * AES in Galois Counter Mode (GCM): these cipher suites are only supported in TLS
v1.2.
+ */
+ private static final String AESGCM = "AESGCM";
+ /**
+ * Cipher suites using 128 bit CAMELLIA.
+ */
+ private static final String CAMELLIA128 = "CAMELLIA128";
+ /**
+ * Cipher suites using 256 bit CAMELLIA.
+ */
+ private static final String CAMELLIA256 = "CAMELLIA256";
+ /**
+ * Cipher suites using either 128 or 256 bit CAMELLIA.
+ */
+ private static final String CAMELLIA = "CAMELLIA";
+ /**
+ * Cipher suites using triple DES.
+ */
+ private static final String TRIPLE_DES = "3DES";
+ /**
+ * Cipher suites using DES (not triple DES).
+ */
+ private static final String DES = "DES";
+ /**
+ * Cipher suites using RC4.
+ */
+ private static final String RC4 = "RC4";
+ /**
+ * Cipher suites using RC2.
+ */
+ private static final String RC2 = "RC2";
+ /**
+ * Cipher suites using IDEA.
+ */
+ private static final String IDEA = "IDEA";
+ /**
+ * Cipher suites using SEED.
+ */
+ private static final String SEED = "SEED";
+ /**
+ * Cipher suites using MD5.
+ */
+ private static final String MD5 = "MD5";
+ /**
+ * Cipher suites using SHA1.
+ */
+ private static final String SHA1 = "SHA1";
+ /**
+ * Cipher suites using SHA1.
+ */
+ private static final String SHA = "SHA";
+ /**
+ * Cipher suites using SHA256.
+ */
+ private static final String SHA256 = "SHA256";
+ /**
+ * Cipher suites using SHA384.
+ */
+ private static final String SHA384 = "SHA384";
+ /**
+ * Cipher suites using KRB5.
+ */
+ private static final String KRB5 = "KRB5";
+ /**
+ * Cipher suites using GOST R 34.10 (either 2001 or 94) for authentication.
+ */
+ private static final String aGOST = "aGOST";
+ /**
+ * Cipher suites using GOST R 34.10-2001 for authentication.
+ */
+ private static final String aGOST01 = "aGOST01";
+ /**
+ * Cipher suites using GOST R 34.10-94 authentication (note that R 34.10-94 standard
has been expired so use GOST R
+ * 34.10-2001)
+ */
+ private static final String aGOST94 = "aGOST94";
+ /**
+ * Cipher suites using using VKO 34.10 key exchange, specified in the RFC 4357.
+ */
+ private static final String kGOST = "kGOST";
+ /**
+ * Cipher suites, using HMAC based on GOST R 34.11-94.
+ */
+ private static final String GOST94 = "GOST94";
+ /**
+ * Cipher suites using GOST 28147-89 MAC instead of HMAC.
+ */
+ private static final String GOST89MAC = "GOST89MAC";
+ /**
+ * Cipher suites using pre-shared keys (PSK).
+ */
+ private static final String PSK = "PSK";
+
+ private static final String DEFAULT = "DEFAULT";
+ private static final String COMPLEMENTOFDEFAULT = "COMPLEMENTOFDEFAULT";
+
+ private static final String ALL = "ALL";
+ private static final String COMPLEMENTOFALL = "COMPLEMENTOFALL";
+
+ private static final void init() {
+
+ for (Ciphers cipher : Ciphers.values()) {
+ String alias = cipher.getOpenSSLAlias();
+ if (aliases.containsKey(alias)) {
+ aliases.get(alias).add(cipher);
+ } else {
+ List<Ciphers> list = new ArrayList<Ciphers>();
+ list.add(cipher);
+ aliases.put(alias, list);
+ }
+ aliases.put(cipher.name(), Collections.singletonList(cipher));
+ }
+ List<Ciphers> allCiphers = Arrays.asList(Ciphers.values());
+ Collections.reverse(allCiphers);
+ LinkedHashSet<Ciphers> all = defaultSort(new
LinkedHashSet<Ciphers>(allCiphers));
+ addListAlias(ALL, all);
+ addListAlias(HIGH, filterByEncryptionLevel(all,
Collections.singleton(EncryptionLevel.HIGH)));
+ addListAlias(MEDIUM, filterByEncryptionLevel(all,
Collections.singleton(EncryptionLevel.MEDIUM)));
+ addListAlias(LOW, filterByEncryptionLevel(all,
Collections.singleton(EncryptionLevel.LOW)));
+ addListAlias(EXPORT, filterByEncryptionLevel(all, new
HashSet<EncryptionLevel>(Arrays.asList(EncryptionLevel.EXP40,
EncryptionLevel.EXP56))));
+ aliases.put("EXP", aliases.get(EXPORT));
+ addListAlias(EXPORT40, filterByEncryptionLevel(all,
Collections.singleton(EncryptionLevel.EXP40)));
+ addListAlias(EXPORT56, filterByEncryptionLevel(all,
Collections.singleton(EncryptionLevel.EXP56)));
+ addListAlias(eNULL, filterByEncryption(all,
Collections.singleton(Encryption.eNULL)));
+ aliases.put("NULL", aliases.get(eNULL));
+ aliases.put(COMPLEMENTOFALL, aliases.get(eNULL));
+ addListAlias(aNULL, filterByAuthentication(all,
Collections.singleton(Authentication.aNULL)));
+ addListAlias(kRSA, filterByKeyExchange(all,
Collections.singleton(KeyExchange.RSA)));
+ addListAlias(aRSA, filterByAuthentication(all,
Collections.singleton(Authentication.RSA)));
+ addListAlias(RSA, filter(all, null, Collections.singleton(KeyExchange.RSA),
Collections.singleton(Authentication.RSA), null, null, null));
+ addListAlias(kEDH, filterByKeyExchange(all,
Collections.singleton(KeyExchange.EDH)));
+ Set<Ciphers> edh = filterByKeyExchange(all,
Collections.singleton(KeyExchange.EDH));
+ edh.removeAll(filterByAuthentication(all,
Collections.singleton(Authentication.DH)));
+ addListAlias(EDH, edh);
+ addListAlias(kDHr, filterByKeyExchange(all,
Collections.singleton(KeyExchange.DHr)));
+ addListAlias(kDHd, filterByKeyExchange(all,
Collections.singleton(KeyExchange.DHd)));
+ addListAlias(kDH, filterByKeyExchange(all, new
HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd))));
+ addListAlias(aDSS, filterByAuthentication(all,
Collections.singleton(Authentication.DSS)));
+ aliases.put("DSS", aliases.get(aDSS));
+ addListAlias(aDH, filterByAuthentication(all,
Collections.singleton(Authentication.DH)));
+ addListAlias(kFZA, filterByKeyExchange(all,
Collections.singleton(KeyExchange.FZA)));
+ addListAlias(aFZA, filterByAuthentication(all,
Collections.singleton(Authentication.FZA)));
+ addListAlias(eFZA, filterByEncryption(all,
Collections.singleton(Encryption.FZA)));
+ addListAlias(FZA, filter(all, null, Collections.singleton(KeyExchange.FZA),
Collections.singleton(Authentication.FZA), Collections.singleton(Encryption.FZA), null,
null));
+ addListAlias(TLSv1_2, filterByProtocol(all,
Collections.singleton(Protocol.TLSv1_2)));
+ addListAlias("TLSv1.1", filterByProtocol(all,
Collections.singleton(Protocol.SSLv3)));
+ addListAlias(TLSv1, filterByProtocol(all,
Collections.singleton(Protocol.TLSv1)));
+ addListAlias(SSLv3, filterByProtocol(all,
Collections.singleton(Protocol.SSLv3)));
+ addListAlias(SSLv2, filterByProtocol(all,
Collections.singleton(Protocol.SSLv2)));
+ addListAlias(DH, filterByKeyExchange(all, new
HashSet<KeyExchange>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd,
KeyExchange.EDH))));
+ Set<Ciphers> adh = filterByKeyExchange(all,
Collections.singleton(KeyExchange.EDH));
+ adh.retainAll(filterByAuthentication(all,
Collections.singleton(Authentication.aNULL)));
+ addListAlias(ADH, adh);
+ addListAlias(AES128, filterByEncryption(all, new
HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM))));
+ addListAlias(AES256, filterByEncryption(all, new
HashSet<Encryption>(Arrays.asList(Encryption.AES256, Encryption.AES256GCM))));
+ addListAlias(AES, filterByEncryption(all, new
HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM,
Encryption.AES256, Encryption.AES256GCM))));
+ addListAlias(AESGCM, filterByEncryption(all, new
HashSet<Encryption>(Arrays.asList(Encryption.AES128GCM, Encryption.AES256GCM))));
+ addListAlias(CAMELLIA, filterByEncryption(all, new
HashSet<Encryption>(Arrays.asList(Encryption.CAMELLIA128,
Encryption.CAMELLIA256))));
+ addListAlias(CAMELLIA128, filterByEncryption(all,
Collections.singleton(Encryption.CAMELLIA128)));
+ addListAlias(CAMELLIA256, filterByEncryption(all,
Collections.singleton(Encryption.CAMELLIA256)));
+ addListAlias(TRIPLE_DES, filterByEncryption(all,
Collections.singleton(Encryption.TRIPLE_DES)));
+ addListAlias(DES, filterByEncryption(all,
Collections.singleton(Encryption.DES)));
+ addListAlias(RC4, filterByEncryption(all,
Collections.singleton(Encryption.RC4)));
+ addListAlias(RC2, filterByEncryption(all,
Collections.singleton(Encryption.RC2)));
+ addListAlias(IDEA, filterByEncryption(all,
Collections.singleton(Encryption.IDEA)));
+ addListAlias(SEED, filterByEncryption(all,
Collections.singleton(Encryption.SEED)));
+ addListAlias(MD5, filterByMessageDigest(all,
Collections.singleton(MessageDigest.MD5)));
+ addListAlias(SHA1, filterByMessageDigest(all,
Collections.singleton(MessageDigest.SHA1)));
+ aliases.put(SHA, aliases.get(SHA1));
+ addListAlias(SHA256, filterByMessageDigest(all,
Collections.singleton(MessageDigest.SHA256)));
+ addListAlias(SHA384, filterByMessageDigest(all,
Collections.singleton(MessageDigest.SHA384)));
+ addListAlias(aGOST, filterByAuthentication(all, new
HashSet<Authentication>(Arrays.asList(Authentication.GOST01,
Authentication.GOST94))));
+ addListAlias(aGOST01, filterByAuthentication(all,
Collections.singleton(Authentication.GOST01)));
+ addListAlias(aGOST94, filterByAuthentication(all,
Collections.singleton(Authentication.GOST94)));
+ addListAlias(kGOST, filterByKeyExchange(all,
Collections.singleton(KeyExchange.GOST)));
+ addListAlias(GOST94, filterByMessageDigest(all,
Collections.singleton(MessageDigest.GOST94)));
+ addListAlias(GOST89MAC, filterByMessageDigest(all,
Collections.singleton(MessageDigest.GOST89MAC)));
+ addListAlias(PSK, filter(all, null, Collections.singleton(KeyExchange.PSK),
Collections.singleton(Authentication.PSK), null, null, null));
+ addListAlias(KRB5, filter(all, null, Collections.singleton(KeyExchange.KRB5),
Collections.singleton(Authentication.KRB5), null, null, null));
+ initialized = true;
+ String defaultExpression = System.getProperty(DEFAULT_EXPRESSION_KEY,
"ALL:!eNULL:!aNULL");
+ addListAlias(DEFAULT, parse(defaultExpression));
+ LinkedHashSet<Ciphers> complementOfDefault = new
LinkedHashSet<Ciphers>(all);
+ complementOfDefault.removeAll(aliases.get(DEFAULT));
+ addListAlias(COMPLEMENTOFDEFAULT, complementOfDefault);
+ }
+
+ static void addListAlias(String alias, Set<Ciphers> ciphers) {
+ aliases.put(alias, new ArrayList<Ciphers>(ciphers));
+ }
+
+ static void moveToEnd(final LinkedHashSet<Ciphers> ciphers, final String alias)
{
+ moveToEnd(ciphers, aliases.get(alias));
+ }
+
+ static void moveToEnd(final LinkedHashSet<Ciphers> ciphers, final
Collection<Ciphers> toBeMovedCiphers) {
+ ciphers.removeAll(toBeMovedCiphers);
+ ciphers.addAll(toBeMovedCiphers);
+ }
+
+ static void add(final LinkedHashSet<Ciphers> ciphers, final String alias) {
+ ciphers.addAll(aliases.get(alias));
+ }
+
+ static void remove(final LinkedHashSet<Ciphers> ciphers, final String alias) {
+ ciphers.removeAll(aliases.get(alias));
+ }
+
+ static LinkedHashSet<Ciphers> strengthSort(final LinkedHashSet<Ciphers>
ciphers) {
+ /*
+ * This routine sorts the ciphers with descending strength. The sorting
+ * must keep the pre-sorted sequence, so we apply the normal sorting
+ * routine as '+' movement to the end of the list.
+ */
+ Set<Integer> keySizes = new HashSet<Integer>();
+ for (Ciphers cipher : ciphers) {
+ keySizes.add(cipher.getStrength_bits());
+ }
+ List<Integer> strength_bits = new ArrayList<Integer>(keySizes);
+ Collections.sort(strength_bits);
+ Collections.reverse(strength_bits);
+ final LinkedHashSet<Ciphers> result = new
LinkedHashSet<Ciphers>(ciphers);
+ for (int strength : strength_bits) {
+ moveToEnd(result, filterByStrengthBits(ciphers, strength));
+ }
+ return result;
+ }
+
+ static LinkedHashSet<Ciphers> defaultSort(final LinkedHashSet<Ciphers>
ciphers) {
+ final LinkedHashSet<Ciphers> result = new
LinkedHashSet<Ciphers>(ciphers.size());
+ /* Now arrange all ciphers by preference: */
+
+ /* Everything else being equal, prefer ephemeral ECDH over other key exchange
mechanisms */
+ result.addAll(filterByKeyExchange(ciphers,
Collections.singleton(KeyExchange.EECDH)));
+ /* AES is our preferred symmetric cipher */
+ result.addAll(filterByEncryption(ciphers, new
HashSet<Encryption>(Arrays.asList(Encryption.AES128, Encryption.AES128GCM,
+ Encryption.AES256, Encryption.AES256GCM))));
+ /* Temporarily enable everything else for sorting */
+ result.addAll(ciphers);
+
+
+ /* Low priority for MD5 */
+ moveToEnd(result, filterByMessageDigest(result,
Collections.singleton(MessageDigest.MD5)));
+
+ /* Move anonymous ciphers to the end. Usually, these will remain disabled.
+ * (For applications that allow them, they aren't too bad, but we prefer
+ * authenticated ciphers.) */
+ moveToEnd(result, filterByAuthentication(result,
Collections.singleton(Authentication.aNULL)));
+
+ /* Move ciphers without forward secrecy to the end */
+ moveToEnd(result, filterByAuthentication(result,
Collections.singleton(Authentication.ECDH)));
+ moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.RSA)));
+ moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.PSK)));
+ moveToEnd(result, filterByKeyExchange(result,
Collections.singleton(KeyExchange.KRB5)));
+ /* RC4 is sort-of broken -- move the the end */
+ moveToEnd(result, filterByEncryption(result,
Collections.singleton(Encryption.RC4)));
+ return strengthSort(result);
+ }
+
+ static Set<Ciphers> filterByStrengthBits(Set<Ciphers> ciphers, int
strength_bits) {
+ Set<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size());
+ for (Ciphers cipher : ciphers) {
+ if (cipher.getStrength_bits() == strength_bits) {
+ result.add(cipher);
+ }
+ }
+ return result;
+ }
+
+ static Set<Ciphers> filterByProtocol(Set<Ciphers> ciphers,
Set<Protocol> protocol) {
+ return filter(ciphers, protocol, null, null, null, null, null);
+ }
+
+ static Set<Ciphers> filterByKeyExchange(Set<Ciphers> ciphers,
Set<KeyExchange> kx) {
+ return filter(ciphers, null, kx, null, null, null, null);
+ }
+
+ static Set<Ciphers> filterByAuthentication(Set<Ciphers> ciphers,
Set<Authentication> au) {
+ return filter(ciphers, null, null, au, null, null, null);
+ }
+
+ static Set<Ciphers> filterByEncryption(Set<Ciphers> ciphers,
Set<Encryption> enc) {
+ return filter(ciphers, null, null, null, enc, null, null);
+ }
+
+ static Set<Ciphers> filterByEncryptionLevel(Set<Ciphers> ciphers,
Set<EncryptionLevel> level) {
+ return filter(ciphers, null, null, null, null, level, null);
+ }
+
+ static Set<Ciphers> filterByMessageDigest(Set<Ciphers> ciphers,
Set<MessageDigest> mac) {
+ return filter(ciphers, null, null, null, null, null, mac);
+ }
+
+ static Set<Ciphers> filter(Set<Ciphers> ciphers, Set<Protocol>
protocol, Set<KeyExchange> kx,
+ Set<Authentication> au, Set<Encryption> enc,
Set<EncryptionLevel> level, Set<MessageDigest> mac) {
+ Set<Ciphers> result = new LinkedHashSet<Ciphers>(ciphers.size());
+ for (Ciphers cipher : ciphers) {
+ if (protocol != null && protocol.contains(cipher.getProtocol())) {
+ result.add(cipher);
+ }
+ if (kx != null && kx.contains(cipher.getKx())) {
+ result.add(cipher);
+ }
+ if (au != null && au.contains(cipher.getAu())) {
+ result.add(cipher);
+ }
+ if (enc != null && enc.contains(cipher.getEnc())) {
+ result.add(cipher);
+ }
+ if (level != null && level.contains(cipher.getLevel())) {
+ result.add(cipher);
+ }
+ if (mac != null && mac.contains(cipher.getMac())) {
+ result.add(cipher);
+ }
+ }
+ return result;
+ }
+
+ static LinkedHashSet<Ciphers> parse(String expression) {
+ if (!initialized) {
+ init();
+ }
+ String[] elements = expression.split(SEPARATOR);
+ LinkedHashSet<Ciphers> ciphers = new LinkedHashSet<Ciphers>();
+ Set<Ciphers> removedCiphers = new HashSet<Ciphers>();
+ for (String element : elements) {
+ if (element.startsWith(DELETE)) {
+ String alias = element.substring(1);
+ if (aliases.containsKey(alias)) {
+ remove(ciphers, alias);
+ }
+ } else if (element.startsWith(EXCLUDE)) {
+ String alias = element.substring(1);
+ if (aliases.containsKey(alias)) {
+ removedCiphers.addAll(aliases.get(alias));
+ } else {
+ CoyoteLogger.UTIL_LOGGER.warn("Unknown element " +
alias);
+ }
+ } else if (element.startsWith(TO_END)) {
+ String alias = element.substring(1);
+ if (aliases.containsKey(alias)) {
+ moveToEnd(ciphers, alias);
+ }
+ } else if ("(a)STRENGTH".equals(element)) {
+ strengthSort(ciphers);
+ break;
+ } else if (aliases.containsKey(element)) {
+ add(ciphers, element);
+ }
+ }
+ ciphers.removeAll(removedCiphers);
+ return defaultSort(ciphers);
+ }
+
+ static List<String> convertForJSSE(Collection<Ciphers> ciphers) {
+ List<String> result = new ArrayList<String>(ciphers.size());
+ for (Ciphers cipher : ciphers) {
+ result.add(cipher.name());
+ }
+ return result;
+ }
+
+ /**
+ * Parse the specified expression according to the OpenSSL syntax and returns a list
of standard cipher names.
+ * @param expression: the openssl expression to define a list of cipher.
+ * @return the corresponding list of ciphers.
+ */
+ public static List<String> parseExpression(String expression) {
+ return convertForJSSE(parse(expression));
+ }
+
+ static String displayResult(Set<Ciphers> ciphers, String separator) {
+ if (ciphers.isEmpty()) {
+ return "";
+ }
+ StringBuilder builder = new StringBuilder(ciphers.size() * 16);
+ for (Ciphers cipher : ciphers) {
+ builder.append(cipher.getOpenSSLAlias());
+ builder.append(separator);
+ }
+ return builder.toString().substring(0, builder.length() - 1);
+ }
+}
Added: branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java
===================================================================
--- branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java
(rev 0)
+++
branches/7.4.x/src/main/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java 2014-05-22
09:02:55 UTC (rev 2413)
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2014 Red Hat, inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301 USA
+ */
+package org.apache.tomcat.util.net.jsse.openssl;
+
+/**
+ *
+ * @author <a href="mailto:ehugonne@redhat.com">Emmanuel
Hugonnet</a> (c) 2014 Red Hat, inc.
+ */
+enum Protocol {
+ SSLv3, SSLv2, TLSv1, TLSv1_2;
+}