From 9ed7dbcf2f06b8cdea0648a6dd18ebecbe987568 Mon Sep 17 00:00:00 2001
From: Tobias Kellner <tobias.kellner@iaik.tugraz.at>
Date: Tue, 20 Oct 2015 17:25:11 +0200
Subject: Disabling of EC cipher suites not needed anymore

---
 .../java/at/gv/egiz/bku/webstart/Container.java    | 43 -----------
 .../egiz/bku/spring/InternalSSLSocketFactory.java  | 83 ----------------------
 .../gv/egiz/bku/spring/SSLSocketFactoryBean.java   | 51 +------------
 3 files changed, 1 insertion(+), 176 deletions(-)
 delete mode 100644 bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java

diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index 5285382c..9eaa13b2 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -116,49 +116,6 @@ public class Container {
     sslConnector.setPassword(passwd);
     sslConnector.setKeyPassword(passwd);
 
-    //avoid jetty's ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
-    String[] RFC4492CipherSuites = new String[] {
-      "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
-      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
-      "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
-      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,"+
-      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDH_RSA_WITH_NULL_SHA",
-      "TLS_ECDH_RSA_WITH_RC4_128_SHA",
-      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
-      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
-      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,",
-      "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDHE_RSA_WITH_NULL_SHA",
-      "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-      "TLS_ECDH_anon_WITH_NULL_SHA",
-      "TLS_ECDH_anon_WITH_RC4_128_SHA",
-      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
-      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
-      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
-    };
-
-    sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
-
     server.setConnectors(new Connector[]{connector, sslConnector});
 
     webapp = new WebAppContext();
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java
deleted file mode 100644
index a9e96126..00000000
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/InternalSSLSocketFactory.java
+++ /dev/null
@@ -1,83 +0,0 @@
-package at.gv.egiz.bku.spring;
-
-import java.io.IOException;
-import java.net.InetAddress;
-import java.net.Socket;
-import java.net.UnknownHostException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-
-public class InternalSSLSocketFactory extends SSLSocketFactory {
-
-	private SSLSocketFactory proxy;
-	private String[] suites;
-
-	public InternalSSLSocketFactory(SSLSocketFactory socketFactory,
-			String[] disabledSuites) {
-		this.proxy = socketFactory;
-		List<String> dSuites = Arrays.asList(disabledSuites);
-		List<String> suites = new ArrayList<String>(Arrays.asList(proxy.getDefaultCipherSuites()));
-		suites.removeAll(dSuites);
-		this.suites = suites.toArray(new String[suites.size()]);
-	}
-
-	@Override
-	public Socket createSocket(Socket s, String host, int port,
-			boolean autoClose) throws IOException {
-		Socket socket = proxy.createSocket(s, host, port, autoClose);
-		setCipherSuites(socket);
-		return socket;
-	}
-
-	@Override
-	public String[] getDefaultCipherSuites() {
-		return suites;
-	}
-
-	@Override
-	public String[] getSupportedCipherSuites() {
-		return proxy.getSupportedCipherSuites();
-	}
-
-	@Override
-	public Socket createSocket(String host, int port) throws IOException,
-			UnknownHostException {
-		Socket socket = proxy.createSocket(host, port);
-		setCipherSuites(socket);
-		return socket;
-	}
-
-	@Override
-	public Socket createSocket(InetAddress host, int port) throws IOException {
-		Socket socket = proxy.createSocket(host, port);
-		setCipherSuites(socket);
-		return socket;
-	}
-
-	@Override
-	public Socket createSocket(String host, int port, InetAddress localHost,
-			int localPort) throws IOException, UnknownHostException {
-		Socket socket = proxy.createSocket(host, port, localHost,
-				localPort);
-		setCipherSuites(socket);
-		return socket;
-	}
-
-	@Override
-	public Socket createSocket(InetAddress address, int port,
-			InetAddress localAddress, int localPort) throws IOException {
-		Socket socket = proxy.createSocket(address, port, localAddress,
-				localPort);
-		setCipherSuites(socket);
-		return socket;
-	}
-
-	private void setCipherSuites(Socket socket) {
-		if (socket instanceof SSLSocket)
-			((SSLSocket) socket).setEnabledCipherSuites(suites);
-	}
-}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
index f49c1c17..a16265c9 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/spring/SSLSocketFactoryBean.java
@@ -49,47 +49,6 @@ public class SSLSocketFactoryBean implements FactoryBean {
 
     private Configuration configuration;
 
-    //avoid ClassCastException: iaik.security.ecc.ecdsa.ECPublicKey cannot be cast to java.security.interfaces.ECPublicKey
-    private final String DEFAULT_DISABLED_CIPHER_SUITES =
-      "TLS_ECDH_ECDSA_WITH_NULL_SHA," +
-      "TLS_ECDH_ECDSA_WITH_RC4_128_SHA," +
-      "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +
-      "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +
-      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +
-      "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,"+
-      "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256," +
-      "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384," +
-      "TLS_ECDHE_ECDSA_WITH_NULL_SHA," +
-      "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA," +
-      "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +
-      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +
-      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +
-      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,"+
-      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
-      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384," +
-      "TLS_ECDH_RSA_WITH_NULL_SHA," +
-      "TLS_ECDH_RSA_WITH_RC4_128_SHA," +
-      "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +
-      "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +
-      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +
-      "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,"+
-      "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256," +
-      "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384," +
-      "TLS_ECDHE_RSA_WITH_NULL_SHA," +
-      "TLS_ECDHE_RSA_WITH_RC4_128_SHA," +
-      "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +
-      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +
-      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," +
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +
-      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,"+
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," +
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
-      "TLS_ECDH_anon_WITH_NULL_SHA," +
-      "TLS_ECDH_anon_WITH_RC4_128_SHA," +
-      "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA," +
-      "TLS_ECDH_anon_WITH_AES_128_CBC_SHA," +
-      "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
-
     public static final String SSL_PROTOCOL = "SSL.sslProtocol";
 
     public static final String SSL_DISABLE_ALL_CHECKS = "SSL.disableAllChecks";
@@ -103,12 +62,6 @@ public class SSLSocketFactoryBean implements FactoryBean {
     public boolean disableAllSslChecks() {
       return configuration.getBoolean(SSL_DISABLE_ALL_CHECKS, false);
     }
-
-    public String[] getDisabledCipherSuites() {
-      String suites = configuration.getString(SSL_DISABLED_CIPHER_SUITES,
-            DEFAULT_DISABLED_CIPHER_SUITES);
-      return suites.split(",");
-    }
   }
 
   /**
@@ -148,9 +101,7 @@ public class SSLSocketFactoryBean implements FactoryBean {
     SSLContext sslContext = SSLContext.getInstance(configurationFacade.getSslProtocol());
     sslContext.init(null, new TrustManager[] {pkiTrustManager}, null);
 
-    SSLSocketFactory ssf = sslContext.getSocketFactory();
-
-    return new InternalSSLSocketFactory(ssf, configurationFacade.getDisabledCipherSuites());
+    return sslContext.getSocketFactory();
   }
 
   @Override
-- 
cgit v1.2.3