1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 package org.apache.hc.core5.http.ssl;
29
30 import java.util.ArrayList;
31 import java.util.Arrays;
32 import java.util.Collections;
33 import java.util.HashSet;
34 import java.util.List;
35 import java.util.Set;
36 import java.util.regex.Pattern;
37
38
39
40
41
42
43 public final class TlsCiphers {
44
45 private final static Set<String> H2_BLACKLISTED =
46 Collections.unmodifiableSet(new HashSet<>(Arrays.asList(
47 "TLS_NULL_WITH_NULL_NULL",
48 "TLS_RSA_WITH_NULL_MD5",
49 "TLS_RSA_WITH_NULL_SHA",
50 "TLS_RSA_EXPORT_WITH_RC4_40_MD5",
51 "TLS_RSA_WITH_RC4_128_MD5",
52 "TLS_RSA_WITH_RC4_128_SHA",
53 "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
54 "TLS_RSA_WITH_IDEA_CBC_SHA",
55 "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA",
56 "TLS_RSA_WITH_DES_CBC_SHA",
57 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
58 "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",
59 "TLS_DH_DSS_WITH_DES_CBC_SHA",
60 "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",
61 "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",
62 "TLS_DH_RSA_WITH_DES_CBC_SHA",
63 "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",
64 "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
65 "TLS_DHE_DSS_WITH_DES_CBC_SHA",
66 "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
67 "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
68 "TLS_DHE_RSA_WITH_DES_CBC_SHA",
69 "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
70 "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5",
71 "TLS_DH_anon_WITH_RC4_128_MD5",
72 "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
73 "TLS_DH_anon_WITH_DES_CBC_SHA",
74 "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",
75 "TLS_KRB5_WITH_DES_CBC_SHA",
76 "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
77 "TLS_KRB5_WITH_RC4_128_SHA",
78 "TLS_KRB5_WITH_IDEA_CBC_SHA",
79 "TLS_KRB5_WITH_DES_CBC_MD5",
80 "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
81 "TLS_KRB5_WITH_RC4_128_MD5",
82 "TLS_KRB5_WITH_IDEA_CBC_MD5",
83 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
84 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",
85 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
86 "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
87 "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",
88 "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
89 "TLS_PSK_WITH_NULL_SHA",
90 "TLS_DHE_PSK_WITH_NULL_SHA",
91 "TLS_RSA_PSK_WITH_NULL_SHA",
92 "TLS_RSA_WITH_AES_128_CBC_SHA",
93 "TLS_DH_DSS_WITH_AES_128_CBC_SHA",
94 "TLS_DH_RSA_WITH_AES_128_CBC_SHA",
95 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
96 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
97 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
98 "TLS_RSA_WITH_AES_256_CBC_SHA",
99 "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
100 "TLS_DH_RSA_WITH_AES_256_CBC_SHA",
101 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
102 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
103 "TLS_DH_anon_WITH_AES_256_CBC_SHA",
104 "TLS_RSA_WITH_NULL_SHA256",
105 "TLS_RSA_WITH_AES_128_CBC_SHA256",
106 "TLS_RSA_WITH_AES_256_CBC_SHA256",
107 "TLS_DH_DSS_WITH_AES_128_CBC_SHA256",
108 "TLS_DH_RSA_WITH_AES_128_CBC_SHA256",
109 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
110 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",
111 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",
112 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",
113 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",
114 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",
115 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",
116 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
117 "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
118 "TLS_DH_RSA_WITH_AES_256_CBC_SHA256",
119 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
120 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
121 "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
122 "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
123 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
124 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
125 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
126 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",
127 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",
128 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",
129 "TLS_PSK_WITH_RC4_128_SHA",
130 "TLS_PSK_WITH_3DES_EDE_CBC_SHA",
131 "TLS_PSK_WITH_AES_128_CBC_SHA",
132 "TLS_PSK_WITH_AES_256_CBC_SHA",
133 "TLS_DHE_PSK_WITH_RC4_128_SHA",
134 "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",
135 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA",
136 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA",
137 "TLS_RSA_PSK_WITH_RC4_128_SHA",
138 "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",
139 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA",
140 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA",
141 "TLS_RSA_WITH_SEED_CBC_SHA",
142 "TLS_DH_DSS_WITH_SEED_CBC_SHA",
143 "TLS_DH_RSA_WITH_SEED_CBC_SHA",
144 "TLS_DHE_DSS_WITH_SEED_CBC_SHA",
145 "TLS_DHE_RSA_WITH_SEED_CBC_SHA",
146 "TLS_DH_anon_WITH_SEED_CBC_SHA",
147 "TLS_RSA_WITH_AES_128_GCM_SHA256",
148 "TLS_RSA_WITH_AES_256_GCM_SHA384",
149 "TLS_DH_RSA_WITH_AES_128_GCM_SHA256",
150 "TLS_DH_RSA_WITH_AES_256_GCM_SHA384",
151 "TLS_DH_DSS_WITH_AES_128_GCM_SHA256",
152 "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
153 "TLS_DH_anon_WITH_AES_128_GCM_SHA256",
154 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
155 "TLS_PSK_WITH_AES_128_GCM_SHA256",
156 "TLS_PSK_WITH_AES_256_GCM_SHA384",
157 "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",
158 "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",
159 "TLS_PSK_WITH_AES_128_CBC_SHA256",
160 "TLS_PSK_WITH_AES_256_CBC_SHA384",
161 "TLS_PSK_WITH_NULL_SHA256",
162 "TLS_PSK_WITH_NULL_SHA384",
163 "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",
164 "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",
165 "TLS_DHE_PSK_WITH_NULL_SHA256",
166 "TLS_DHE_PSK_WITH_NULL_SHA384",
167 "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",
168 "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",
169 "TLS_RSA_PSK_WITH_NULL_SHA256",
170 "TLS_RSA_PSK_WITH_NULL_SHA384",
171 "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",
172 "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",
173 "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
174 "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",
175 "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
176 "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",
177 "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",
178 "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",
179 "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",
180 "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",
181 "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",
182 "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",
183 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
184 "TLS_ECDH_ECDSA_WITH_NULL_SHA",
185 "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
186 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
187 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
188 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
189 "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
190 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
191 "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
192 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
193 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
194 "TLS_ECDH_RSA_WITH_NULL_SHA",
195 "TLS_ECDH_RSA_WITH_RC4_128_SHA",
196 "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
197 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
198 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
199 "TLS_ECDHE_RSA_WITH_NULL_SHA",
200 "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
201 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
202 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
203 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
204 "TLS_ECDH_anon_WITH_NULL_SHA",
205 "TLS_ECDH_anon_WITH_RC4_128_SHA",
206 "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
207 "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
208 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
209 "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",
210 "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",
211 "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",
212 "TLS_SRP_SHA_WITH_AES_128_CBC_SHA",
213 "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",
214 "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",
215 "TLS_SRP_SHA_WITH_AES_256_CBC_SHA",
216 "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",
217 "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",
218 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
219 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
220 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
221 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
222 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
223 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
224 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
225 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
226 "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
227 "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
228 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
229 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
230 "TLS_ECDHE_PSK_WITH_RC4_128_SHA",
231 "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",
232 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
233 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
234 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",
235 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",
236 "TLS_ECDHE_PSK_WITH_NULL_SHA",
237 "TLS_ECDHE_PSK_WITH_NULL_SHA256",
238 "TLS_ECDHE_PSK_WITH_NULL_SHA384",
239 "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
240 "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
241 "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
242 "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
243 "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
244 "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
245 "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
246 "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
247 "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
248 "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
249 "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",
250 "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",
251 "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
252 "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
253 "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
254 "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
255 "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
256 "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
257 "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
258 "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
259 "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
260 "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
261 "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
262 "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
263 "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
264 "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
265 "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",
266 "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",
267 "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
268 "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
269 "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
270 "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
271 "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
272 "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
273 "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
274 "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
275 "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
276 "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
277 "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
278 "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
279 "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
280 "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
281 "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
282 "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
283 "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
284 "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
285 "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
286 "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
287 "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
288 "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
289 "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
290 "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
291 "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
292 "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
293 "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
294 "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
295 "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
296 "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
297 "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",
298 "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",
299 "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
300 "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
301 "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
302 "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
303 "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
304 "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
305 "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
306 "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
307 "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
308 "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
309 "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
310 "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
311 "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
312 "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
313 "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
314 "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
315 "TLS_RSA_WITH_AES_128_CCM",
316 "TLS_RSA_WITH_AES_256_CCM",
317 "TLS_RSA_WITH_AES_128_CCM_8",
318 "TLS_RSA_WITH_AES_256_CCM_8",
319 "TLS_PSK_WITH_AES_128_CCM",
320 "TLS_PSK_WITH_AES_256_CCM",
321 "TLS_PSK_WITH_AES_128_CCM_8",
322 "TLS_PSK_WITH_AES_256_CCM_8"
323 )));
324
325 public static boolean isH2Blacklisted(final String cipherSuite) {
326 return H2_BLACKLISTED.contains(cipherSuite);
327 }
328
329 private static final String WEAK_KEY_EXCHANGES
330 = "^(TLS|SSL)_(NULL|ECDH_anon|DH_anon|DH_anon_EXPORT|DHE_RSA_EXPORT|DHE_DSS_EXPORT|"
331 + "DSS_EXPORT|DH_DSS_EXPORT|DH_RSA_EXPORT|RSA_EXPORT|KRB5_EXPORT)_(.*)";
332 private static final String WEAK_CIPHERS
333 = "^(TLS|SSL)_(.*)_WITH_(NULL|DES_CBC|DES40_CBC|DES_CBC_40|3DES_EDE_CBC|RC4_128|RC4_40|RC2_CBC_40)_(.*)";
334
335 private static final List<Pattern> WEAK_CIPHER_SUITE_PATTERNS = Collections.unmodifiableList(Arrays.asList(
336 Pattern.compile(WEAK_KEY_EXCHANGES, Pattern.CASE_INSENSITIVE),
337 Pattern.compile(WEAK_CIPHERS, Pattern.CASE_INSENSITIVE)));
338
339 public static boolean isWeak(final String cipherSuite) {
340 for (final Pattern pattern : WEAK_CIPHER_SUITE_PATTERNS) {
341 if (pattern.matcher(cipherSuite).matches()) {
342 return true;
343 }
344 }
345 return false;
346 }
347
348 public static String[] excludeH2Blacklisted(final String... ciphers) {
349 if (ciphers == null) {
350 return null;
351 }
352 final List<String> enabledCiphers = new ArrayList<>();
353 for (final String cipher: ciphers) {
354 if (!TlsCiphers.isH2Blacklisted(cipher)) {
355 enabledCiphers.add(cipher);
356 }
357 }
358 return !enabledCiphers.isEmpty() ? enabledCiphers.toArray(new String[0]) : ciphers;
359 }
360
361 public static String[] excludeWeak(final String... ciphers) {
362 if (ciphers == null) {
363 return null;
364 }
365 final List<String> enabledCiphers = new ArrayList<>();
366 for (final String cipher: ciphers) {
367 if (!TlsCiphers.isWeak(cipher)) {
368 enabledCiphers.add(cipher);
369 }
370 }
371 return !enabledCiphers.isEmpty() ? enabledCiphers.toArray(new String[0]) : ciphers;
372 }
373
374 }