From 5e07592a692e7400cd641e608decd8e0c942872d Mon Sep 17 00:00:00 2001
From: Joakim Erdfelt <joakim.erdfelt@gmail.com>
Date: Thu, 23 Aug 2018 18:08:35 -0500
Subject: [PATCH] Issue #2807 - Updating Default TLS Cipher Suite Exclusions

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
---
 .../eclipse/jetty/util/ssl/SslContextFactory.java   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index 206f6017930..70a87b6e9dc 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -212,7 +212,20 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
     {
         setTrustAll(trustAll);
         addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
+
+        // Exclude weak / insecure ciphers
         setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
+        // Exclude ciphers that don't support forward secrecy
+        addExcludeCipherSuites("^TLS_RSA_.*$");
+
+        /* The following exclusions are present to cleanup known bad cipher suites
+         * that are accidentally added via Include patterns.
+         * The default enabled cipher list in Java will not include these
+         * (but they are available in the supported list) */
+        addExcludeCipherSuites("^SSL_.*$");
+        addExcludeCipherSuites("^.*_NULL_.*$");
+        addExcludeCipherSuites("^.*_anon_.*$");
+
         if (keyStorePath != null)
             setKeyStorePath(keyStorePath);
     }