...
Code Block | ||||
---|---|---|---|---|
| ||||
<httpj:tlsServerParameters> ... <sec:trustManagers> <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" /> </sec:trustManagers> ... </httpj:tlsServerParameters> |
TLS CipherSuites
...
When CXF selects the CipherSuites to use in a TLS Connection, it selects them in the following order:
- If we have defined explicit "cipherSuite" configuration (see below)
- If we have defined ciphersuites via the system property "https.cipherSuites".
- The default JVM CipherSuites, if no filters (see below) have been defined
- Filter the supported cipher suites (*not* the default JVM CipherSuites)
CipherSuites
We can select explicit CipherSuites to use in configuration, for example:The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the default is to exclude all "NULL" and "anon" filters. CXF 3.0.3 onwards excludes all "DES" filters as well, and 3.0.4 onwards additionally excludes all "EXPORT" filters.
Code Block | ||||
---|---|---|---|---|
| ||||
<httpj:tlsServerParameters> ... <sec:cipherSuitesFilter>cipherSuites> <sec:include>.*_EXPORT_.*cipherSuite>TLS_AES_128_GCM_SHA256</sec:cipherSuite> </sec:include>cipherSuites> ... </httpj:tlsServerParameters> |
CipherSuites Filter
The CipherSuites Filter is used to either include or exclude particular CipherSuites. If no exclusion filter is specified, the defaults are as follows:
CipherSuite Filter | Since CXF version |
---|---|
.*_NULL_.* | |
.*_anon_.* | |
.*_DES_.* | CXF 3.0.3 |
.*_EXPORT_.* | CXF 3.0.4 |
.*_3DES_.* | CXF 3.3.0 |
.*_MD5 | CXF 3.3.0 |
.*_CBC_.* | CXF 3.3.0 |
.*_RC4_.* | CXF 3.3.0 |
Example:
Code Block | ||||
---|---|---|---|---|
| ||||
<httpj:tlsServerParameters> ... <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include>cipherSuitesFilter> <sec:include>.*_WITH_AES_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> ... </httpj:tlsServerParameters> |
...