View Javadoc
1   /*
2    * ====================================================================
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *   http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing,
14   * software distributed under the License is distributed on an
15   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16   * KIND, either express or implied.  See the License for the
17   * specific language governing permissions and limitations
18   * under the License.
19   * ====================================================================
20   *
21   * This software consists of voluntary contributions made by many
22   * individuals on behalf of the Apache Software Foundation.  For more
23   * information on the Apache Software Foundation, please see
24   * <http://www.apache.org/>.
25   *
26   */
27  
28  package org.apache.hc.core5.http.ssl;
29  
30  import org.junit.jupiter.api.Assertions;
31  import org.junit.jupiter.api.Test;
32  
33  /**
34   * Unit tests for {@link TlsCiphers}.
35   */
36  public class TestTlsCiphers {
37  
38      @Test
39      public void testStrongCipherSuites() {
40          final String[] strongCipherSuites = {
41                  "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
42                  "TLS_RSA_WITH_AES_256_CBC_SHA256",
43                  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
44                  "TLS_RSA_WITH_AES_128_CBC_SHA",
45                  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
46                  "TLS_RSA_WITH_AES_256_GCM_SHA384"
47          };
48          for (final String cipherSuite : strongCipherSuites) {
49              Assertions.assertFalse(TlsCiphers.isWeak(cipherSuite));
50          }
51      }
52  
53      @Test
54      public void testWeakCiphersDisabledByDefault() {
55          final String[] weakCiphersSuites = {
56                  "SSL_RSA_WITH_RC4_128_SHA",
57                  "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
58                  "TLS_DH_anon_WITH_AES_128_CBC_SHA",
59                  "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
60                  "SSL_RSA_WITH_NULL_SHA",
61                  "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
62                  "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
63                  "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
64                  "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
65                  "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
66                  "TLS_RSA_WITH_NULL_SHA256",
67                  "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
68                  "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
69                  "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
70                  "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5"
71          };
72          for (final String cipherSuite : weakCiphersSuites) {
73              Assertions.assertTrue(TlsCiphers.isWeak(cipherSuite));
74          }
75      }
76  
77     @Test
78      void excludeH2Blacklisted (){
79         final String[] mixCipherSuites = {
80                 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
81                 "TLS_RSA_WITH_AES_256_CBC_SHA256",
82                 "AES_SHA_US",
83                 "TLS_RSA_WITH_AES_128_CBC_SHA",
84                 "NULL_SHA",
85                 "TLS_RSA_WITH_AES_256_GCM_SHA384"
86         };
87  
88         final String[] strongCipherSuites = TlsCiphers.excludeH2Blacklisted(mixCipherSuites);
89         for (final String cipherSuite : strongCipherSuites) {
90             Assertions.assertFalse(TlsCiphers.isWeak(cipherSuite));
91         }
92     }
93  
94      @Test
95      void excludeWeak (){
96          final String[] weakCiphersSuites = {
97                  "SSL_RSA_WITH_RC4_128_SHA",
98                  "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
99                  "TLS_DH_anon_WITH_AES_128_CBC_SHA",
100                 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
101                 "SSL_RSA_WITH_NULL_SHA",
102                 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
103                 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
104                 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
105                 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
106                 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
107                 "TLS_RSA_WITH_NULL_SHA256",
108                 "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
109                 "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
110                 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
111                 "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
112                 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
113                 "TLS_RSA_WITH_AES_256_CBC_SHA256",
114                 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
115                 "TLS_RSA_WITH_AES_128_CBC_SHA",
116                 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
117                 "TLS_RSA_WITH_AES_256_GCM_SHA384"
118         };
119 
120         final String[] strongCipherSuites = TlsCiphers.excludeWeak(weakCiphersSuites);
121         for (final String cipherSuite : strongCipherSuites) {
122             Assertions.assertFalse(TlsCiphers.isWeak(cipherSuite));
123         }
124     }
125 
126     @Test
127     void excludeWeakNull(){
128         Assertions.assertNull(TlsCiphers.excludeWeak((String[]) null));
129     }
130 
131 }