Issue #2807 - Updating Default TLS Cipher Suite Exclusions

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>

jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java

@@ -212,7 +212,20 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     {
         setTrustAll(trustAll);
         addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
+
+        // Exclude weak / insecure ciphers
         setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
+        // Exclude ciphers that don't support forward secrecy
+        addExcludeCipherSuites("^TLS_RSA_.*$");
+
+        /* The following exclusions are present to cleanup known bad cipher suites
+         * that are accidentally added via Include patterns.
+         * The default enabled cipher list in Java will not include these
+         * (but they are available in the supported list) */
+        addExcludeCipherSuites("^SSL_.*$");
+        addExcludeCipherSuites("^.*_NULL_.*$");
+        addExcludeCipherSuites("^.*_anon_.*$");
+
         if (keyStorePath != null)
             setKeyStorePath(keyStorePath);
     }