Hi Andrei, The example you cited is an old way of configuring the TLS CipherSuites, and definitely not the recommended one any more.
The recommended approach with the latest versions of CXF is just not to specify a CipherSuite filter at all. CXF then falls back to using the JDK defaults. If you are explicitly including/excluding cipher suites via the filter, you should at least consider excluding all NULL, anon, EXPORT + DES cipher suites (this is the default if you are including, but haven't specified any excluding filters). Colm. On Sun, Jul 26, 2015 at 12:35 PM, Andrei Shakirin <[email protected]> wrote: > Hi, > > I assume that you are configuring client side conduit. > For the client I would suggest to follow CXF example for TLS client > parameters: > > <sec:cipherSuitesFilter> > <!-- these filters ensure that a ciphersuite with > export-suitable or null encryption is used, > but exclude anonymous Diffie-Hellman key change as > this is vulnerable to man-in-the-middle attacks --> > <sec:include>.*_EXPORT_.*</sec:include> > <sec:include>.*_EXPORT1024_.*</sec:include> > <sec:include>.*_WITH_DES_.*</sec:include> > <sec:include>.*_WITH_AES_.*</sec:include> > <sec:include>.*_WITH_NULL_.*</sec:include> > <sec:exclude>.*_DH_anon_.*</sec:exclude> > </sec:cipherSuitesFilter> > > It includes most popular ciphers and excludes vulnerable anonymous > Diffie-Hellman one. > So your client will be flexible and safe. > > Regards, > Andrei. > > > -----Original Message----- > > From: James Y. Li [mailto:[email protected]] > > Sent: Freitag, 24. Juli 2015 06:14 > > To: [email protected] > > Subject: cipherSuites Filtering > > > > Hi All, > > I am trying to write a cipherSuitesFilter which excludes DH ciphers and > includes > > the following ciphers: > > > > *AES256-SHA (*SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1*)* > > > > *DES-CBC3-SHA (*SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1*)* > > > > *AES128-SHA (*SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1*)* > > > > And I referred to the example at > > http://cxf.apache.org/docs/client-http-transport-including-ssl- > > > support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSupport > > > > So should my filter look like this? Should I include more restrictions > on 'Au', > > 'Mac' as above? > > > > <sec:cipherSuitesFilter> > > <sec:include>.*_WITH_AES_.*</sec:include> > > <sec:include>.*_WITH_DES_.*</sec:include> > > <sec:exclude>.*_DH_.*</sec:exclude> > > </sec:cipherSuitesFilter> > > > > Thanks! > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
