From 21a618e6a863e13c11a1c776e995ec29d25967f7 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@webtide.com>
Date: Thu, 21 Jul 2016 12:39:07 +1000
Subject: [PATCH 1/2] SLOTH protection #631

Exclude all MD5 and SHA1 ciperhs, not just RSA based ones.
---
 .../java/org/eclipse/jetty/util/ssl/SslContextFactory.java   | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
index d55ba20247e..9e65738728f 100644
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
@@ -250,10 +250,7 @@ public class SslContextFactory extends AbstractLifeCycle
     {
         setTrustAll(trustAll);
         addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
-        setExcludeCipherSuites(
-                "^.*_RSA_.*_(MD5|SHA|SHA1)$",
-                "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-                "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
+        setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
     }
 
     /**

From 5718726a8c7ed7cf85d65d4d199ffb46eaa12131 Mon Sep 17 00:00:00 2001
From: Greg Wilkins <gregw@webtide.com>
Date: Thu, 21 Jul 2016 13:01:25 +1000
Subject: [PATCH 2/2] Incorrect default ALPN protocol #671

Correctly handle protocol aliases
---
 .../server/NegotiatingServerConnectionFactory.java     | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/NegotiatingServerConnectionFactory.java b/jetty-server/src/main/java/org/eclipse/jetty/server/NegotiatingServerConnectionFactory.java
index 79ab49dfed6..4ccc243de0f 100644
--- a/jetty-server/src/main/java/org/eclipse/jetty/server/NegotiatingServerConnectionFactory.java
+++ b/jetty-server/src/main/java/org/eclipse/jetty/server/NegotiatingServerConnectionFactory.java
@@ -98,10 +98,12 @@ public abstract class NegotiatingServerConnectionFactory extends AbstractConnect
         {
             // Generate list of protocols that we can negotiate
             negotiated = connector.getProtocols().stream()
-            .map(p->connector.getConnectionFactory(p))
-            .filter(f->!(f instanceof SslConnectionFactory)&&!(f instanceof NegotiatingServerConnectionFactory))
-            .map(p->p.getProtocol())
-            .collect(Collectors.toList());
+            .filter(p->
+            {
+                ConnectionFactory f=connector.getConnectionFactory(p);
+                return !(f instanceof SslConnectionFactory)&&!(f instanceof NegotiatingServerConnectionFactory);
+            })
+            .collect(Collectors.toList());            
         }
 
         // if default protocol is not set, then it is either HTTP/1.1 or