From 0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb Mon Sep 17 00:00:00 2001
From: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Date: Wed, 13 Jan 2016 15:00:16 -0700
Subject: [PATCH] 485714 - Update SSL configuration to mitigate SLOTH
 vulnerability

---
 .../eclipse/jetty/server/ssl/SSLCloseTest.java    |  6 ++++--
 .../eclipse/jetty/server/ssl/SSLEngineTest.java   |  2 +-
 .../eclipse/jetty/util/ssl/SslContextFactory.java |  8 ++------
 .../jetty/util/ssl/SslContextFactoryTest.java     | 15 +++++++++++++++
 4 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java
index f353e7f09ae..2d23ff564bf 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLCloseTest.java
@@ -27,6 +27,7 @@ import java.net.Socket;
 import java.nio.charset.StandardCharsets;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -36,6 +37,7 @@ import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.eclipse.jetty.util.TypeUtil;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.junit.Test;
@@ -58,8 +60,8 @@ public class SSLCloseTest
         server.addConnector(connector);
         server.setHandler(new WriteHandler());
         server.start();
-
-        SSLContext ctx=SSLContext.getInstance("SSLv3");
+        
+        SSLContext ctx=SSLContext.getInstance("TLSv1.2");
         ctx.init(null,SslContextFactory.TRUST_ALL_CERTS,new java.security.SecureRandom());
 
         int port=connector.getLocalPort();
diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
index 9b76d0e7023..a010774b156 100644
--- a/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
+++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SSLEngineTest.java
@@ -189,7 +189,7 @@ public class SSLEngineTest
 
         Socket[] client=new Socket[numConns];
 
-        SSLContext ctx=SSLContext.getInstance("SSLv3");
+        SSLContext ctx=SSLContext.getInstance("TLSv1.2");
         ctx.init(null,SslContextFactory.TRUST_ALL_CERTS,new java.security.SecureRandom());
 
         int port=connector.getLocalPort();
diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index 5025b2da2c4..42f109c7d4d 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -250,14 +250,10 @@ public class SslContextFactory extends AbstractLifeCycle
         setTrustAll(trustAll);
         addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
         setExcludeCipherSuites(
-                "SSL_RSA_WITH_DES_CBC_SHA",
-                "SSL_DHE_RSA_WITH_DES_CBC_SHA",
+                "^.*_RSA_.*_(MD5|SHA|SHA1)$",
                 "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-                "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-                "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-                "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
                 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
-}
+    }
 
     /**
      * Construct an instance of SslContextFactory
diff --git a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
index 0ca664436f0..a5e65c02513 100644
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java
@@ -29,6 +29,7 @@ import static org.junit.Assert.assertTrue;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
+import java.util.Arrays;
 
 import javax.net.ssl.SSLEngine;
 
@@ -56,6 +57,20 @@ public class SslContextFactoryTest
         cf = new SslContextFactory();
     }
 
+    @Test
+    public void testSLOTH() throws Exception
+    {
+        cf.setKeyStorePassword("storepwd");
+        cf.setKeyManagerPassword("keypwd");
+
+        cf.start();
+
+        System.err.println(Arrays.asList(cf.getSelectedProtocols()));
+        for (String cipher : cf.getSelectedCipherSuites())
+            System.err.println(cipher);
+
+    }
+    
     @Test
     public void testNoTsFileKs() throws Exception
     {