Hi,
I assume that you are configuring client side conduit.
For the client I would suggest to follow CXF example for TLS client parameters:
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
It includes most popular ciphers and excludes vulnerable anonymous
Diffie-Hellman one.
So your client will be flexible and safe.
Regards,
Andrei.
> -----Original Message-----
> From: James Y. Li [mailto:[email protected]]
> Sent: Freitag, 24. Juli 2015 06:14
> To: [email protected]
> Subject: cipherSuites Filtering
>
> Hi All,
> I am trying to write a cipherSuitesFilter which excludes DH ciphers and
> includes
> the following ciphers:
>
> *AES256-SHA (*SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1*)*
>
> *DES-CBC3-SHA (*SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1*)*
>
> *AES128-SHA (*SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1*)*
>
> And I referred to the example at
> http://cxf.apache.org/docs/client-http-transport-including-ssl-
> support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport
>
> So should my filter look like this? Should I include more restrictions on
> 'Au',
> 'Mac' as above?
>
> <sec:cipherSuitesFilter>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:exclude>.*_DH_.*</sec:exclude>
> </sec:cipherSuitesFilter>
>
> Thanks!
