Versions Compared

Old Version 17

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 18

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleTrust Manager sample
    <httpj:tlsServerParameters>
        ...
        <sec:trustManagers>
            <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
        </sec:trustManagers>
        ...
    </httpj:tlsServerParameters>

TLS CipherSuites

...

When CXF selects the CipherSuites to use in a TLS Connection, it selects them in the following order:

  1. If we have defined explicit "cipherSuite" configuration (see below)
  2. If we have defined ciphersuites via the system property "https.cipherSuites".
  3. The default JVM CipherSuites, if no filters (see below) have been defined
  4. Filter the supported cipher suites (*not* the default JVM CipherSuites)

CipherSuites

We can select explicit CipherSuites to use in configuration, for example:The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES" filters as well, and 3.0.4 onwards additionally excludes all "EXPORT" filters.

Code Block
languagexml
titleCipherSuites Filter sample
    <httpj:tlsServerParameters>
        ...
         <sec:cipherSuitesFilter>cipherSuites>
             <sec:include>.*_EXPORT_.*cipherSuite>TLS_AES_128_GCM_SHA256</sec:cipherSuite>
         </sec:include>cipherSuites>
        ...
    </httpj:tlsServerParameters>

CipherSuites Filter

The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the defaults are as follows:

CipherSuite FilterSince CXF version
.*_NULL_.*
.*_anon_.*
.*_DES_.*CXF 3.0.3
.*_EXPORT_.*CXF 3.0.4
.*_3DES_.*CXF 3.3.0
.*_MD5CXF 3.3.0
.*_CBC_.*CXF 3.3.0
.*_RC4_.*CXF 3.3.0

Example:

Code Block
languagexml
titleCipherSuites Filter sample
    <httpj:tlsServerParameters>
        ...
<sec:include>.*_EXPORT1024_.*</sec:include>
            <sec:include>.*_WITH_DES_.*</sec:include>cipherSuitesFilter>
            <sec:include>.*_WITH_AES_.*</sec:include>
            <sec:exclude>.*_DH_anon_.*</sec:exclude>
        </sec:cipherSuitesFilter>
        ...
    </httpj:tlsServerParameters>

...