On 20 July 2014 23:40:50 CEST, Tim Whittington <t...@apache.org> wrote: >This doesn’t look like it’ll work as expected on IBM JDKs (which do >s/^TLS_/SSL_/ on all the TLS era cipher suite names). > >Also a big -0 for importing the brokenness that is the openssl ciphers >syntax (seriously, I have to recite >HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 to do something sensible?). >(I get the consistency argument internally (JSSE/APR connectors) and >externally (Apache, nginx etc.), but meh). > >I’m not a fan of the closed-set approach either, but I haven’t got a >better option that doesn’t involve magic cipher-suite name parsing >unfortunately (both put you in an arms race with new suites for >different reasons).
This seems like a good point to add that I've been looking in to this and the current mapping doesn't look right. It references cipher suites that aren't in the standard names doc provided in the JRE docs and it also fails to reference many suites that are in it. I'm less concerned about keeping up with new cipher suites. We can write unit tests to catch those. Different cipher names in different JREs is going to be problematic. This is currently top if my to do list when I get back to work next week. My current view of this feature is buggy with maintenance issues but I also believe all these to be fixable/manageable. I might find some time to play with this this week so don't be surprised if you see the odd commit from me in this area. Mark > >cheers >tim > >On 9/07/2014, at 4:20 am, r...@apache.org wrote: > >> Author: remm >> Date: Tue Jul 8 16:20:54 2014 >> New Revision: 1608840 >> >> URL: http://svn.apache.org/r1608840 >> Log: >> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56704 >> Add OpenSSL cipher suite parser for JSSE. It allows using the same >value for both native and JSSE, and makes it easy to define safe >default or custom cipher suites. >> Code submitted by Emmanuel Hugonnet. >> >> Added: >> tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/ >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Encryption.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/EncryptionLevel.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/KeyExchange.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/MessageDigest.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/OpenSSLCipherConfigurationParser.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Protocol.java >> Modified: >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >> >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/res/LocalStrings.properties >> tomcat/trunk/webapps/docs/changelog.xml >> >> Modified: >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >> URL: >http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java?rev=1608840&r1=1608839&r2=1608840&view=diff >> >============================================================================== >> --- >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >(original) >> +++ >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java >Tue Jul 8 16:20:54 2014 >> @@ -65,6 +65,7 @@ import org.apache.tomcat.util.net.Abstra >> import org.apache.tomcat.util.net.Constants; >> import org.apache.tomcat.util.net.SSLUtil; >> import org.apache.tomcat.util.net.ServerSocketFactory; >> +import >org.apache.tomcat.util.net.jsse.openssl.OpenSSLCipherConfigurationParser; >> import org.apache.tomcat.util.res.StringManager; >> >> /** >> @@ -234,10 +235,14 @@ public class JSSESocketFactory implement >> } >> >> List<String> requestedCiphers = new ArrayList<>(); >> - for (String rc : requestedCiphersStr.split(",")) { >> - final String cipher = rc.trim(); >> - if (cipher.length() > 0) { >> - requestedCiphers.add(cipher); >> + if (requestedCiphersStr.indexOf(':') != -1) { >> + requestedCiphers = >OpenSSLCipherConfigurationParser.parseExpression(requestedCiphersStr); >> + } else { >> + for (String rc : requestedCiphersStr.split(",")) { >> + final String cipher = rc.trim(); >> + if (cipher.length() > 0) { >> + requestedCiphers.add(cipher); >> + } >> } >> } >> if (requestedCiphers.isEmpty()) { >> >> Added: >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java >> URL: >http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java?rev=1608840&view=auto >> >============================================================================== >> --- >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java >(added) >> +++ >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Authentication.java >Tue Jul 8 16:20:54 2014 >> @@ -0,0 +1,32 @@ >> +/* >> + * Licensed to the Apache Software Foundation (ASF) under one or >more >> + * contributor license agreements. See the NOTICE file distributed >with >> + * this work for additional information regarding copyright >ownership. >> + * The ASF licenses this file to You under the Apache License, >Version 2.0 >> + * (the "License"); you may not use this file except in compliance >with >> + * the License. You may obtain a copy of the License at >> + * >> + * http://www.apache.org/licenses/LICENSE-2.0 >> + * >> + * Unless required by applicable law or agreed to in writing, >software >> + * distributed under the License is distributed on an "AS IS" >BASIS, >> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >implied. >> + * See the License for the specific language governing permissions >and >> + * limitations under the License. >> + */ >> + >> +package org.apache.tomcat.util.net.jsse.openssl; >> + >> +enum Authentication { >> + RSA /* RSA auth */, >> + DSS /* DSS auth */, >> + aNULL /* no auth (i.e. use ADH or AECDH) */, >> + DH /* Fixed DH auth (kDHd or kDHr) */, >> + ECDH /* Fixed ECDH auth (kECDHe or kECDHr) */, >> + KRB5 /* KRB5 auth */, >> + ECDSA/* ECDSA auth*/, >> + PSK /* PSK auth */, >> + GOST94 /* GOST R 34.10-94 signature auth */, >> + GOST01 /* GOST R 34.10-2001 */, >> + FZA /* Fortezza */; >> +} >> >> Added: >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java >> URL: >http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java?rev=1608840&view=auto >> >============================================================================== >> --- >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java >(added) >> +++ >tomcat/trunk/java/org/apache/tomcat/util/net/jsse/openssl/Ciphers.java >Tue Jul 8 16:20:54 2014 >> @@ -0,0 +1,2299 @@ >> +/* >> + * Licensed to the Apache Software Foundation (ASF) under one or >more >> + * contributor license agreements. See the NOTICE file distributed >with >> + * this work for additional information regarding copyright >ownership. >> + * The ASF licenses this file to You under the Apache License, >Version 2.0 >> + * (the "License"); you may not use this file except in compliance >with >> + * the License. You may obtain a copy of the License at >> + * >> + * http://www.apache.org/licenses/LICENSE-2.0 >> + * >> + * Unless required by applicable law or agreed to in writing, >software >> + * distributed under the License is distributed on an "AS IS" >BASIS, >> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >implied. >> + * See the License for the specific language governing permissions >and >> + * limitations under the License. >> + */ >> + >> +package org.apache.tomcat.util.net.jsse.openssl; >> + >> +/** >> + * All Ciphers for SSL/TSL. >> + */ >> +enum Ciphers { >> + /* The RSA ciphers */ >> + // Cipher 01 >> + SSL_RSA_WITH_NULL_MD5("NULL-MD5", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.eNULL, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.STRONG_NONE, >> + false, >> + 0, >> + 0), >> + // Cipher 02 >> + SSL_RSA_WITH_NULL_SHA("NULL-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.eNULL, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.STRONG_NONE, >> + true, >> + 0, >> + 0), >> + // Cipher 03 >> + SSL_RSA_EXPORT_WITH_RC4_40_MD5("EXP-RC4-MD5", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.RC4, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 04 >> + SSL_RSA_WITH_RC4_128_MD5("RC4-MD5", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.RC4, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 05 >> + SSL_RSA_WITH_RC4_128_SHA("RC4-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.RC4, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 06 >> + SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5("EXP-RC2-CBC-MD5", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.RC2, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 07 >> + SSL_RSA_WITH_IDEA_CBC_SHA("IDEA-CBC-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.IDEA, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 08 >> + SSL_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DES-CBC-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 09 >> + SSL_RSA_WITH_DES_CBC_SHA("DES-CBC-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 0A >> + SSL_RSA_WITH_3DES_EDE_CBC_SHA("DES-CBC3-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + /* The DH ciphers */ >> + // Cipher 0B >> + SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-DSS-DES-CBC-SHA", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 0C >> + SSL_DH_DSS_WITH_DES_CBC_SHA("DH-DSS-DES-CBC-SHA", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 0D >> + SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA("DH-DSS-DES-CBC3-SHA", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + // Cipher 0E >> + SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-DH-RSA-DES-CBC-SHA", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 0F >> + SSL_DH_RSA_WITH_DES_CBC_SHA("DH-RSA-DES-CBC-SHA", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 10 >> + SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA("DH-RSA-DES-CBC3-SHA", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + /* The Ephemeral DH ciphers */ >> + // Cipher 11 >> + SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-DSS-DES-CBC-SHA", >> + KeyExchange.EDH, >> + Authentication.DSS, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 12 >> + SSL_DHE_DSS_WITH_DES_CBC_SHA("EDH-DSS-DES-CBC-SHA", >> + KeyExchange.EDH, >> + Authentication.DSS, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 13 >> + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA("EDH-DSS-DES-CBC3-SHA", >> + KeyExchange.EDH, >> + Authentication.DSS, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + // Cipher 14 >> + TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA("EXP-EDH-RSA-DES-CBC-SHA", >> + KeyExchange.EDH, >> + Authentication.RSA, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 15 >> + TLS_DHE_RSA_WITH_DES_CBC_SHA("EDH-RSA-DES-CBC-SHA", >> + KeyExchange.EDH, >> + Authentication.RSA, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 16 >> + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA("EDH-RSA-DES-CBC3-SHA", >> + KeyExchange.EDH, >> + Authentication.RSA, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + // Cipher 17 >> + TLS_DH_anon_EXPORT_WITH_RC4_40_MD5("EXP-ADH-RC4-MD5", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.RC4, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 18 >> + TLS_DH_anon_WITH_RC4_128_MD5("ADH-RC4-MD5", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.RC4, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 19 >> + TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA("EXP-ADH-DES-CBC-SHA", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 1A >> + TLS_DH_anon_WITH_DES_CBC_SHA("ADH-DES-CBC-SHA", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 1B >> + TLS_DH_anon_WITH_3DES_EDE_CBC_SHA("ADH-DES-CBC3-SHA", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + /* Fortezza ciphersuite from SSL 3.0 spec */ >> + // Cipher 1C >> + SSL_FORTEZZA_DMS_WITH_NULL_SHA("FZA-NULL-SHA", >> + KeyExchange.FZA, >> + Authentication.FZA, >> + Encryption.eNULL, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.STRONG_NONE, >> + false, >> + 0, >> + 0), >> + // Cipher 1D >> + SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA("FZA-FZA-CBC-SHA", >> + KeyExchange.FZA, >> + Authentication.FZA, >> + Encryption.FZA, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.STRONG_NONE, >> + false, >> + 0, >> + 0), >> + // Cipher 1E >> + SSL_FORTEZZA_DMS_WITH_RC4_128_SHA("FZA-RC4-SHA", >> + KeyExchange.FZA, >> + Authentication.FZA, >> + Encryption.RC4, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + /* The Kerberos ciphers*/ >> + // Cipher 1E >> + /*TLS_KRB5_WITH_DES_CBC_SHA("KRB5-DES-CBC-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 1F >> + TLS_KRB5_WITH_3DES_EDE_CBC_SHA("KRB5-DES-CBC3-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.TRIPLE_DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 168, >> + 168), >> + // Cipher 20 >> + TLS_KRB5_WITH_RC4_128_SHA("KRB5-RC4-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.RC4, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 21 >> + TLS_KRB5_WITH_IDEA_CBC_SHA("KRB5-IDEA-CBC-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.IDEA, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 22 >> + TLS_KRB5_WITH_DES_CBC_MD5("KRB5-DES-CBC-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.DES, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.LOW, >> + false, >> + 56, >> + 56), >> + // Cipher 23 >> + TLS_KRB5_WITH_3DES_EDE_CBC_MD5("KRB5-DES-CBC3-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.TRIPLE_DES, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.HIGH, >> + false, >> + 168, >> + 168), >> + // Cipher 24 >> + TLS_KRB5_WITH_RC4_128_MD5("KRB5-RC4-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.RC4, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 25 >> + TLS_KRB5_WITH_IDEA_CBC_MD5("KRB5-IDEA-CBC-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.IDEA, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + false, >> + EncryptionLevel.MEDIUM, >> + false, >> + 128, >> + 128), >> + // Cipher 26 >> + TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA("EXP-KRB5-DES-CBC-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.DES, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 27 >> + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA("EXP-KRB5-RC2-CBC-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.RC2, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 28 >> + TLS_KRB5_EXPORT_WITH_RC4_40_SHA("EXP-KRB5-RC4-SHA", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.RC4, >> + MessageDigest.SHA1, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 29 >> + TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5("EXP-KRB5-DES-CBC-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.DES, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 56), >> + // Cipher 2A >> + TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5("EXP-KRB5-RC2-CBC-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.RC2, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128), >> + // Cipher 2B >> + TLS_KRB5_EXPORT_WITH_RC4_40_MD5("EXP-KRB5-RC4-MD5", >> + KeyExchange.KRB5, >> + Authentication.KRB5, >> + Encryption.RC4, >> + MessageDigest.MD5, >> + Protocol.SSLv3, >> + true, >> + EncryptionLevel.EXP40, >> + false, >> + 40, >> + 128),*/ >> + /* New AES ciphersuites */ >> + // Cipher 2F >> + TLS_RSA_WITH_AES_128_CBC_SHA("AES128-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.AES128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 30 >> + TLS_DH_DSS_WITH_AES_128_CBC_SHA("DH-DSS-AES128-SHA", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.AES128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 31 >> + TLS_DH_RSA_WITH_AES_128_CBC_SHA("DH-RSA-AES128-SHA", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.AES128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 32 >> + TLS_DHE_DSS_WITH_AES_128_CBC_SHA("DHE-DSS-AES128-SHA", >> + KeyExchange.EDH, >> + Authentication.DSS, >> + Encryption.AES128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 33 >> + TLS_DHE_RSA_WITH_AES_128_CBC_SHA("DHE-RSA-AES128-SHA", >> + KeyExchange.EDH, >> + Authentication.RSA, >> + Encryption.AES128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 34 >> + TLS_DH_anon_WITH_AES_128_CBC_SHA("ADH-AES128-SHA", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.AES128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 35 >> + TLS_RSA_WITH_AES_256_CBC_SHA("AES256-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.AES256, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), >> + // Cipher 36 >> + TLS_DH_DSS_WITH_AES_256_CBC_SHA("DH-DSS-AES256-SHA", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.AES256, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), >> + // Cipher 37 >> + TLS_DH_RSA_WITH_AES_256_CBC_SHA("DH-RSA-AES256-SHA", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.AES256, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), >> + // Cipher 38 >> + TLS_DHE_DSS_WITH_AES_256_CBC_SHA("DHE-DSS-AES256-SHA", >> + KeyExchange.EDH, >> + Authentication.DSS, >> + Encryption.AES256, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), >> + // Cipher 39 >> + TLS_DHE_RSA_WITH_AES_256_CBC_SHA("DHE-RSA-AES256-SHA", >> + KeyExchange.EDH, >> + Authentication.RSA, >> + Encryption.AES256, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), // Cipher 3A >> + TLS_DH_anon_WITH_AES_256_CBC_SHA("ADH-AES256-SHA", >> + KeyExchange.EDH, >> + Authentication.aNULL, >> + Encryption.AES256, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), >> + /* TLS v1.2 ciphersuites */ >> + // Cipher 3B >> + TLS_RSA_WITH_NULL_SHA256("NULL-SHA256", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.eNULL, >> + MessageDigest.SHA256, >> + Protocol.TLSv1_2, >> + false, >> + EncryptionLevel.STRONG_NONE, >> + true, >> + 0, >> + 0), >> + // Cipher 3C >> + TLS_RSA_WITH_AES_128_CBC_SHA256("AES128-SHA256", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.AES128, >> + MessageDigest.SHA256, >> + Protocol.TLSv1_2, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 3D >> + TLS_RSA_WITH_AES_256_CBC_SHA256("AES256-SHA256", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.AES256, >> + MessageDigest.SHA256, >> + Protocol.TLSv1_2, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 256, >> + 256), >> + // Cipher 3E >> + TLS_DH_DSS_WITH_AES_128_CBC_SHA256("DH-DSS-AES128-SHA256", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.AES128, >> + MessageDigest.SHA256, >> + Protocol.TLSv1_2, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 3F >> + TLS_DH_RSA_WITH_AES_128_CBC_SHA256("DH-RSA-AES128-SHA256", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.AES128, >> + MessageDigest.SHA256, >> + Protocol.TLSv1_2, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + // Cipher 40 >> + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256("DHE-DSS-AES128-SHA256", >> + KeyExchange.EDH, >> + Authentication.DSS, >> + Encryption.AES128, >> + MessageDigest.SHA256, >> + Protocol.TLSv1_2, >> + false, >> + EncryptionLevel.HIGH, >> + true, >> + 128, >> + 128), >> + /* Camellia ciphersuites from RFC4132 (128-bit portion) */ >> + // Cipher 41 >> + TLS_RSA_WITH_CAMELLIA_128_CBC_SHA("CAMELLIA128-SHA", >> + KeyExchange.RSA, >> + Authentication.RSA, >> + Encryption.CAMELLIA128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + false, >> + 128, >> + 128), >> + // Cipher 42 >> + TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA("DH-DSS-CAMELLIA128-SHA", >> + KeyExchange.DHd, >> + Authentication.DH, >> + Encryption.CAMELLIA128, >> + MessageDigest.SHA1, >> + Protocol.TLSv1, >> + false, >> + EncryptionLevel.HIGH, >> + false, >> + 128, >> + 128), >> + // Cipher 43 >> + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA("DH-RSA-CAMELLIA128-SHA", >> + KeyExchange.DHr, >> + Authentication.DH, >> + Encryption.CAMELLIA128, >> + --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
