1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 package org.apache.hc.core5.http.ssl;
29
30 import org.junit.jupiter.api.Assertions;
31 import org.junit.jupiter.api.Test;
32
33
34
35
36 public class TestTlsCiphers {
37
38 @Test
39 public void testStrongCipherSuites() {
40 final String[] strongCipherSuites = {
41 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
42 "TLS_RSA_WITH_AES_256_CBC_SHA256",
43 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
44 "TLS_RSA_WITH_AES_128_CBC_SHA",
45 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
46 "TLS_RSA_WITH_AES_256_GCM_SHA384"
47 };
48 for (final String cipherSuite : strongCipherSuites) {
49 Assertions.assertFalse(TlsCiphers.isWeak(cipherSuite));
50 }
51 }
52
53 @Test
54 public void testWeakCiphersDisabledByDefault() {
55 final String[] weakCiphersSuites = {
56 "SSL_RSA_WITH_RC4_128_SHA",
57 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
58 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
59 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
60 "SSL_RSA_WITH_NULL_SHA",
61 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
62 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
63 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
64 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
65 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
66 "TLS_RSA_WITH_NULL_SHA256",
67 "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
68 "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
69 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
70 "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5"
71 };
72 for (final String cipherSuite : weakCiphersSuites) {
73 Assertions.assertTrue(TlsCiphers.isWeak(cipherSuite));
74 }
75 }
76
77 @Test
78 void excludeH2Blacklisted (){
79 final String[] mixCipherSuites = {
80 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
81 "TLS_RSA_WITH_AES_256_CBC_SHA256",
82 "AES_SHA_US",
83 "TLS_RSA_WITH_AES_128_CBC_SHA",
84 "NULL_SHA",
85 "TLS_RSA_WITH_AES_256_GCM_SHA384"
86 };
87
88 final String[] strongCipherSuites = TlsCiphers.excludeH2Blacklisted(mixCipherSuites);
89 for (final String cipherSuite : strongCipherSuites) {
90 Assertions.assertFalse(TlsCiphers.isWeak(cipherSuite));
91 }
92 }
93
94 @Test
95 void excludeWeak (){
96 final String[] weakCiphersSuites = {
97 "SSL_RSA_WITH_RC4_128_SHA",
98 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
99 "TLS_DH_anon_WITH_AES_128_CBC_SHA",
100 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
101 "SSL_RSA_WITH_NULL_SHA",
102 "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
103 "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
104 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
105 "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
106 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
107 "TLS_RSA_WITH_NULL_SHA256",
108 "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
109 "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
110 "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
111 "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",
112 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
113 "TLS_RSA_WITH_AES_256_CBC_SHA256",
114 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
115 "TLS_RSA_WITH_AES_128_CBC_SHA",
116 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
117 "TLS_RSA_WITH_AES_256_GCM_SHA384"
118 };
119
120 final String[] strongCipherSuites = TlsCiphers.excludeWeak(weakCiphersSuites);
121 for (final String cipherSuite : strongCipherSuites) {
122 Assertions.assertFalse(TlsCiphers.isWeak(cipherSuite));
123 }
124 }
125
126 @Test
127 void excludeWeakNull(){
128 Assertions.assertNull(TlsCiphers.excludeWeak((String[]) null));
129 }
130
131 }