From 65cdf9b59c2d2836bdc24cca27992a1f32f7876e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 21 Oct 2016 10:21:48 +0200 Subject: update default list of allowed SSL ciphers --- .../moa/id/auth/MOAIDAuthInitializer.java | 50 ++++++++++++++-------- 1 file changed, 32 insertions(+), 18 deletions(-) (limited to 'id/server/idserverlib') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java index 11f47052e..5769d99df 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -39,8 +39,8 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; -import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; +import at.gv.egovernment.moa.spss.MOAException; +import at.gv.egovernment.moa.spss.api.Configurator; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; @@ -72,16 +72,31 @@ public class MOAIDAuthInitializer { MailcapCommandMap mc = new MailcapCommandMap(); CommandMap.setDefaultCommandMap(mc); + //allowed SSL ciphers regarding to PVP SMA 1.3 document if (MiscUtil.isEmpty(System.getProperty("https.cipherSuites"))) System.setProperty( "https.cipherSuites", - "TLS_DH_anon_WITH_AES_128_CBC_SHA" + + //high secure RSA bases ciphers + ",TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" + + ",TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" + + ",TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" + + ",TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" + + + //high secure ECC bases ciphers + ",TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" + + ",TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + + ",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + + ",TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + + ",TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" + + ",TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" + + ",TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" + + ",TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" + + + //secure backup chipers + ",TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + ",TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + - ",TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + ",TLS_RSA_WITH_AES_128_CBC_SHA" + - ",TLS_RSA_WITH_AES_256_CBC_SHA" + - ",SSL_DH_anon_WITH_3DES_EDE_CBC_SHA" + - ",SSL_RSA_WITH_3DES_EDE_CBC_SHA" + ",TLS_RSA_WITH_AES_256_CBC_SHA" ); @@ -122,17 +137,16 @@ public class MOAIDAuthInitializer { //MOA-SP is only use by API calls since MOA-ID 3.0.0 try { LoggingContextManager.getInstance().setLoggingContext( - new LoggingContext("startup")); - ConfigurationProvider config = ConfigurationProvider - .getInstance(); - new IaikConfigurator().configure(config); - - } catch (at.gv.egovernment.moa.spss.server.config.ConfigurationException ex) { - Logger.error("MOA-SP initialization FAILED!", ex.getWrapped()); - throw new ConfigurationException("config.10", new Object[] { ex - .toString() }, ex); - - } + new LoggingContext("startup")); + Logger.debug("Starting MOA-SPSS initialization process ... "); + Configurator.getInstance().init(); + Logger.info("MOA-SPSS initialization complete "); + + } catch (MOAException e) { + Logger.error("MOA-SP initialization FAILED!", e.getWrapped()); + throw new ConfigurationException("config.10", new Object[] { e + .toString() }, e); + } //IAIK.addAsProvider(); -- cgit v1.2.3