From 56da53c700717d00e441e36a8d34c96a0be30969 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 27 Aug 2016 07:26:59 -0400
Subject: [PATCH] update for issue #523 - removed specific algorithm list to
 support differences in JDKs (ibm); just setting the protocol resolves the
 issue

---
 .../utils/SSLSocketFactoryEx.java             | 100 +-----------------
 .../utils/URLConnectionFactory.java           |  20 ++--
 2 files changed, 10 insertions(+), 110 deletions(-)

diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java
index 727eb24f7..64ed3ae4e 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/SSLSocketFactoryEx.java
@@ -78,7 +78,7 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
      */
     @Override
     public String[] getDefaultCipherSuites() {
-        return Arrays.copyOf(ciphers, ciphers.length);
+        return sslCtxt.getSocketFactory().getDefaultCipherSuites();
     }
 
     /**
@@ -88,7 +88,7 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
      */
     @Override
     public String[] getSupportedCipherSuites() {
-        return Arrays.copyOf(ciphers, ciphers.length);
+        return sslCtxt.getSocketFactory().getSupportedCipherSuites();
     }
 
     /**
@@ -125,7 +125,6 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         final SSLSocket ss = (SSLSocket) factory.createSocket(s, host, port, autoClose);
 
         ss.setEnabledProtocols(protocols);
-        ss.setEnabledCipherSuites(ciphers);
 
         return ss;
     }
@@ -146,7 +145,6 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         final SSLSocket ss = (SSLSocket) factory.createSocket(address, port, localAddress, localPort);
 
         ss.setEnabledProtocols(protocols);
-        ss.setEnabledCipherSuites(ciphers);
 
         return ss;
     }
@@ -167,7 +165,6 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         final SSLSocket ss = (SSLSocket) factory.createSocket(host, port, localHost, localPort);
 
         ss.setEnabledProtocols(protocols);
-        ss.setEnabledCipherSuites(ciphers);
 
         return ss;
     }
@@ -186,7 +183,6 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         final SSLSocket ss = (SSLSocket) factory.createSocket(host, port);
 
         ss.setEnabledProtocols(protocols);
-        ss.setEnabledCipherSuites(ciphers);
 
         return ss;
     }
@@ -205,7 +201,6 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         final SSLSocket ss = (SSLSocket) factory.createSocket(host, port);
 
         ss.setEnabledProtocols(protocols);
-        ss.setEnabledCipherSuites(ciphers);
 
         return ss;
     }
@@ -226,7 +221,6 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         sslCtxt.init(km, tm, random);
 
         protocols = getProtocolList();
-        ciphers = getCipherList();
     }
 
     /**
@@ -240,9 +234,7 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
     private void initSSLSocketFactoryEx(SSLContext ctx)
             throws NoSuchAlgorithmException, KeyManagementException {
         sslCtxt = ctx;
-
         protocols = getProtocolList();
-        ciphers = getCipherList();
     }
 
     /**
@@ -286,98 +278,10 @@ public class SSLSocketFactoryEx extends SSLSocketFactory {
         return aa.toArray(new String[0]);
     }
 
-    /**
-     * Returns the cipher list.
-     *
-     * @return the cipher list
-     */
-    protected String[] getCipherList() {
-        final String[] preferredCiphers = {
-            // *_CHACHA20_POLY1305 are 3x to 4x faster than existing cipher suites.
-            //   http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html
-            // Use them if available. Normative names can be found at (TLS spec depends on IPSec spec):
-            //   http://tools.ietf.org/html/draft-nir-ipsecme-chacha20-poly1305-01
-            //   http://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-02
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-            "TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA",
-            "TLS_ECDHE_RSA_WITH_CHACHA20_SHA",
-            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305",
-            "TLS_RSA_WITH_CHACHA20_POLY1305",
-            "TLS_DHE_RSA_WITH_CHACHA20_SHA",
-            "TLS_RSA_WITH_CHACHA20_SHA",
-            // Done with bleeding edge, back to TLS v1.2 and below
-            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
-            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
-            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-            "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
-            // TLS v1.0 (with some SSLv3 interop)
-            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA384",
-            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
-            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-            "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-            "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-            "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA",
-            "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA",
-            // RSA key transport sucks, but they are needed as a fallback.
-            // For example, microsoft.com fails under all versions of TLS
-            // if they are not included. If only TLS 1.0 is available at
-            // the client, then google.com will fail too. TLS v1.3 is
-            // trying to deprecate them, so it will be interesteng to see
-            // what happens.
-            "TLS_RSA_WITH_AES_256_CBC_SHA256",
-            "TLS_RSA_WITH_AES_256_CBC_SHA",
-            "TLS_RSA_WITH_AES_128_CBC_SHA256",
-            "TLS_RSA_WITH_AES_128_CBC_SHA",
-        };
-
-        String[] availableCiphers;
-
-        try {
-            final SSLSocketFactory factory = sslCtxt.getSocketFactory();
-            availableCiphers = factory.getSupportedCipherSuites();
-            Arrays.sort(availableCiphers);
-        } catch (Exception e) {
-            LOGGER.debug("Error retrieving ciphers", e);
-            return new String[]{
-                "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-                "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
-                "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-                "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
-                "TLS_RSA_WITH_AES_256_CBC_SHA256",
-                "TLS_RSA_WITH_AES_256_CBC_SHA",
-                "TLS_RSA_WITH_AES_128_CBC_SHA256",
-                "TLS_RSA_WITH_AES_128_CBC_SHA",
-                "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
-            };
-        }
-
-        final List<String> aa = new ArrayList<String>();
-        for (String preferredCipher : preferredCiphers) {
-            final int idx = Arrays.binarySearch(availableCiphers, preferredCipher);
-            if (idx >= 0) {
-                aa.add(preferredCipher);
-            }
-        }
-
-        aa.add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
-
-        return aa.toArray(new String[0]);
-    }
-
     /**
      * The SSL context.
      */
     private SSLContext sslCtxt;
-    /**
-     * The cipher suites.
-     */
-    private String[] ciphers;
     /**
      * The protocols.
      */
diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
index 8a50a33cc..ebba4f536 100644
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java
@@ -31,8 +31,6 @@ import java.net.URL;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import javax.net.ssl.HttpsURLConnection;
-import org.apache.commons.lang3.JavaVersion;
-import org.apache.commons.lang3.SystemUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -191,16 +189,14 @@ public final class URLConnectionFactory {
      * @param conn the connection
      */
     private static void configureTLS(URL url, HttpURLConnection conn) {
-        if ("https".equals(url.getProtocol()) && !SystemUtils.isJavaVersionAtLeast(JavaVersion.JAVA_1_8)) {
-            try {
-                final HttpsURLConnection secCon = (HttpsURLConnection) conn;
-                final SSLSocketFactoryEx factory = new SSLSocketFactoryEx();
-                secCon.setSSLSocketFactory(factory);
-            } catch (NoSuchAlgorithmException ex) {
-                LOGGER.debug("Unsupported algorithm in SSLSocketFactoryEx", ex);
-            } catch (KeyManagementException ex) {
-                LOGGER.debug("Key mnagement eception in SSLSocketFactoryEx", ex);
-            }
+        try {
+            final HttpsURLConnection secCon = (HttpsURLConnection) conn;
+            final SSLSocketFactoryEx factory = new SSLSocketFactoryEx();
+            secCon.setSSLSocketFactory(factory);
+        } catch (NoSuchAlgorithmException ex) {
+            LOGGER.debug("Unsupported algorithm in SSLSocketFactoryEx", ex);
+        } catch (KeyManagementException ex) {
+            LOGGER.debug("Key mnagement eception in SSLSocketFactoryEx", ex);
         }
     }
 }