Hi, @Colm: thanks for update, my status was out-dated to CXF 2.X.X. @James: sorry for confusion, please follow Colm suggestions if you use new CXF Version.
Regards, Andrei. > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Mittwoch, 29. Juli 2015 16:20 > To: [email protected] > Subject: Re: cipherSuites Filtering > > Hi Andrei, > > The example you cited is an old way of configuring the TLS CipherSuites, and > definitely not the recommended one any more. > > The recommended approach with the latest versions of CXF is just not to > specify > a CipherSuite filter at all. CXF then falls back to using the JDK defaults. > > If you are explicitly including/excluding cipher suites via the filter, you > should at > least consider excluding all NULL, anon, EXPORT + DES cipher suites (this is > the > default if you are including, but haven't specified any excluding filters). > > Colm. > > On Sun, Jul 26, 2015 at 12:35 PM, Andrei Shakirin <[email protected]> > wrote: > > > Hi, > > > > I assume that you are configuring client side conduit. > > For the client I would suggest to follow CXF example for TLS client > > parameters: > > > > <sec:cipherSuitesFilter> > > <!-- these filters ensure that a ciphersuite with > > export-suitable or null encryption is used, > > but exclude anonymous Diffie-Hellman key change as > > this is vulnerable to man-in-the-middle attacks --> > > <sec:include>.*_EXPORT_.*</sec:include> > > <sec:include>.*_EXPORT1024_.*</sec:include> > > <sec:include>.*_WITH_DES_.*</sec:include> > > <sec:include>.*_WITH_AES_.*</sec:include> > > <sec:include>.*_WITH_NULL_.*</sec:include> > > <sec:exclude>.*_DH_anon_.*</sec:exclude> > > </sec:cipherSuitesFilter> > > > > It includes most popular ciphers and excludes vulnerable anonymous > > Diffie-Hellman one. > > So your client will be flexible and safe. > > > > Regards, > > Andrei. > > > > > -----Original Message----- > > > From: James Y. Li [mailto:[email protected]] > > > Sent: Freitag, 24. Juli 2015 06:14 > > > To: [email protected] > > > Subject: cipherSuites Filtering > > > > > > Hi All, > > > I am trying to write a cipherSuitesFilter which excludes DH ciphers > > > and > > includes > > > the following ciphers: > > > > > > *AES256-SHA (*SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1*)* > > > > > > *DES-CBC3-SHA (*SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1*)* > > > > > > *AES128-SHA (*SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1*)* > > > > > > And I referred to the example at > > > http://cxf.apache.org/docs/client-http-transport-including-ssl- > > > > > support.html#ClientHTTPTransport(includingSSLsupport)-ConfiguringSSLSu > > pport > > > > > > So should my filter look like this? Should I include more > > > restrictions > > on 'Au', > > > 'Mac' as above? > > > > > > <sec:cipherSuitesFilter> > > > <sec:include>.*_WITH_AES_.*</sec:include> > > > <sec:include>.*_WITH_DES_.*</sec:include> > > > <sec:exclude>.*_DH_.*</sec:exclude> > > > </sec:cipherSuitesFilter> > > > > > > Thanks! > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
