4.2. Cipher Suite Filters
Overview
In a typical application, you usually want to restrict the list of available cipher suites to a subset of the ciphers supported by the JSSE provider.
Caution
Generally, you should use the
sec:cipherSuitesFilter
element, instead of the sec:cipherSuites
element to select the cipher suites you want to use.
The
sec:cipherSuites
element is not recommended for general use, because it has rather non-intuitive semantics: you can use it to require that the loaded security provider supports at least the listed cipher suites. But the security provider that is loaded might support many more cipher suites than the ones that are specified. Hence, when you use the sec:cipherSuites
element, it is not clear exactly which cipher suites are supported at run time.
Namespaces
Table 4.1, “Namespaces Used for Configuring Cipher Suite Filters” shows the XML namespaces that are referenced in this section:
Prefix | Namespace URI |
---|---|
http | http://cxf.apache.org/transports/http/configuration |
httpj | http://cxf.apache.org/transports/http-jetty/configuration |
sec | http://cxf.apache.org/configuration/security |
sec:cipherSuitesFilter element
You define a cipher suite filter using the
sec:cipherSuitesFilter
element, which can be a child of either a http:tlsClientParameters
element or a httpj:tlsServerParameters
element. A typical sec:cipherSuitesFilter
element has the outline structure shown in Example 4.1, “Structure of a sec:cipherSuitesFilter Element” .
Example 4.1. Structure of a sec:cipherSuitesFilter Element
<sec:cipherSuitesFilter> <sec:include>RegularExpression</sec:include> <sec:include>RegularExpression</sec:include> ... <sec:exclude>RegularExpression</sec:exclude> <sec:exclude>RegularExpression</sec:exclude> ... </sec:cipherSuitesFilter>
Semantics
The following semantic rules apply to the
sec:cipherSuitesFilter
element:
- If a
sec:cipherSuitesFilter
element does not appear in an endpoint’s configuration (that is, it is absent from the relevanthttp:conduit
orhttpj:engine-factory
element), the following default filter is used:<sec:cipherSuitesFilter> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024.*</sec:include> <sec:include>.*_DES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> </sec:cipherSuitesFilter>
- If the
sec:cipherSuitesFilter
element does appear in an endpoint’s configuration, all cipher suites are excluded by default. - To include cipher suites, add a
sec:include
child element to thesec:cipherSuitesFilter
element. The content of thesec:include
element is a regular expression that matches one or more cipher suite names (for example, see the cipher suite names in the section called “Cipher suites supported by SunJSSE”). - To refine the selected set of cipher suites further, you can add a
sec:exclude
element to thesec:cipherSuitesFilter
element. The content of thesec:exclude
element is a regular expression that matches zero or more cipher suite names from the currently included set.NoteSometimes it makes sense to explicitly exclude cipher suites that are currently not included, in order to future-proof against accidental inclusion of undesired cipher suites.
Regular expression matching
The grammar for the regular expressions that appear in the
sec:include
and sec:exclude
elements is defined by the Java regular expression utility, java.util.regex.Pattern
. For a detailed description of the grammar, please consult the Java reference guide, http://download.oracle.com/javase/1.5.0/docs/api/java/util/regex/Pattern.html.
Client conduit example
The following XML configuration shows an example of a client that applies a cipher suite filter to the remote endpoint,
{
WSDLPortNamespace}
PortName. Whenever the client attempts to open an SSL/TLS connection to this endpoint, it restricts the available cipher suites to the set selected by the sec:cipherSuitesFilter
element.
<beans ... > <http:conduit name="{WSDLPortNamespace}PortName.http-conduit"> <http:tlsClientParameters> ... <sec:cipherSuitesFilter> <sec:include>.*_WITH_3DES_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:exclude>.*_WITH_NULL_.*</sec:exclude> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http:tlsClientParameters> </http:conduit> <bean id="cxf" class="org.apache.cxf.bus.CXFBusImpl"/> </beans>