external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 3445386f | patch | commit | ignore whitespace

OPENDJ-816 (CR-1460) ssf bug in ACI evaluation?

Jean-Noel Rouvignac

25.53.2013 2536ac98e00057c9acc6e2c2be4109a93eaa6efc

OPENDJ-816 (CR-1460) ssf bug in ACI evaluation?

TLSByteChannel.java:
Extracted static method getSSF() to allow testing.
Modified CIPHER_MAP: added WITH_ARIA_256, WITH_ARIA_128
+ removed the modes of operation CBC and GCM at the end of some cipher names
+ removed subsequent duplicates, sorted by SSF size descending (moved WITH_3DES_EDE)
+ fixed overlapping bug with WITH_DES and WITH_DES_CBC_40.

TLSByteChannelTestCase.java: ADDED

1 files added

1 files modified

	opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java	102 ●●●●● patch \| view \| raw \| blame \| history
	opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/TLSByteChannelTestCase.java	544 ●●●●● patch \| view \| raw \| blame \| history

 opendj-sdk/opends/src/server/org/opends/server/extensions/TLSByteChannel.java

@@ -23,25 +23,29 @@
 *
 *
 *      Copyright 2008-2009 Sun Microsystems, Inc.
 *      Portions copyright 2012 ForgeRock AS.
 *      Portions copyright 2012-2013 ForgeRock AS
 */
package org.opends.server.extensions;



import static org.opends.server.loggers.debug.DebugLogger.debugEnabled;
import static org.opends.server.loggers.debug.DebugLogger.getTracer;
import static org.opends.server.loggers.debug.DebugLogger.*;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.ByteChannel;
import java.nio.channels.ClosedChannelException;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;

import javax.net.ssl.*;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLEngineResult.HandshakeStatus;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;

import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.DebugLogLevel;
@@ -62,6 +66,7 @@
    /**
     * {@inheritDoc}
     */
    @Override
    public void close() throws IOException
    {
      synchronized (readLock)
@@ -114,6 +119,7 @@
    /**
     * {@inheritDoc}
     */
    @Override
    public boolean isOpen()
    {
      return !sslEngine.isOutboundDone() || !sslEngine.isInboundDone();
@@ -124,6 +130,7 @@
    /**
     * {@inheritDoc}
     */
    @Override
    public int read(final ByteBuffer unwrappedData) throws IOException
    {
      synchronized (readLock)
@@ -165,6 +172,7 @@
    /**
     * {@inheritDoc}
     */
    @Override
    public int write(final ByteBuffer unwrappedData) throws IOException
    {
      // This method will block until the entire message is sent.
@@ -405,30 +413,37 @@



  // Map of cipher phrases to effective key size (bits). Taken from the
  // following RFCs: 5289, 4346, 3268,4132 and 4162.
  private static final Map<String, Integer> CIPHER_MAP;
  /**
   * Map of cipher phrases to effective key size (bits). Taken from the
   * following RFCs: 5289, 4346, 3268,4132 and 4162.
   *
   * @see <a
   *      href="http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3">Transport
   *      Layer Security (TLS) Parameters, TLS Cipher Suite Registry</a>
   */
  static final Map<String, Integer> CIPHER_MAP;
  static
  {
    CIPHER_MAP = new LinkedHashMap<String, Integer>();
    CIPHER_MAP.put("_WITH_AES_256_CBC_", new Integer(256));
    CIPHER_MAP.put("_WITH_CAMELLIA_256_CBC_", new Integer(256));
    CIPHER_MAP.put("_WITH_AES_256_GCM_", new Integer(256));
    CIPHER_MAP.put("_WITH_3DES_EDE_CBC_", new Integer(112));
    CIPHER_MAP.put("_WITH_AES_128_GCM_", new Integer(128));
    CIPHER_MAP.put("_WITH_SEED_CBC_", new Integer(128));
    CIPHER_MAP.put("_WITH_CAMELLIA_128_CBC_", new Integer(128));
    CIPHER_MAP.put("_WITH_AES_128_CBC_", new Integer(128));
    CIPHER_MAP.put("_WITH_IDEA_CBC_", new Integer(128));
    CIPHER_MAP.put("_WITH_RC4_128_", new Integer(128));
    CIPHER_MAP.put("_WITH_FORTEZZA_CBC_", new Integer(96));
    CIPHER_MAP.put("_WITH_DES_CBC_", new Integer(56));
    CIPHER_MAP.put("_WITH_RC4_56_", new Integer(56));
    CIPHER_MAP.put("_WITH_DES_CBC_40_", new Integer(40));
    CIPHER_MAP.put("_WITH_RC2_CBC_40_", new Integer(40));
    CIPHER_MAP.put("_WITH_RC4_40_", new Integer(40));
    CIPHER_MAP.put("_WITH_DES40_CBC_", new Integer(40));
    CIPHER_MAP.put("_WITH_NULL_", new Integer(0));
    final Map<String, Integer> map = new LinkedHashMap<String, Integer>();
    map.put("_WITH_AES_256_", 256);
    map.put("_WITH_ARIA_256_", 256);
    map.put("_WITH_CAMELLIA_256_", 256);
    map.put("_WITH_AES_128_", 128);
    map.put("_WITH_ARIA_128_", 128);
    map.put("_WITH_SEED_", 128);
    map.put("_WITH_CAMELLIA_128_", 128);
    map.put("_WITH_IDEA_", 128);
    map.put("_WITH_RC4_128_", 128);
    map.put("_WITH_3DES_EDE_", 112);
    map.put("_WITH_FORTEZZA_", 96);
    map.put("_WITH_RC4_56_", 56);
    map.put("_WITH_DES_CBC_40_", 40);
    map.put("_WITH_RC2_CBC_40_", 40);
    map.put("_WITH_RC4_40_", 40);
    map.put("_WITH_DES40_", 40);
    map.put("_WITH_DES_", 56);
    map.put("_WITH_NULL_", 0);
    CIPHER_MAP = Collections.unmodifiableMap(map);
  }

  private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocate(0);
@@ -485,6 +500,7 @@
  /**
   * {@inheritDoc}
   */
  @Override
  public ByteChannel getChannel()
  {
    return pimpl;
@@ -495,6 +511,7 @@
  /**
   * {@inheritDoc}
   */
  @Override
  public Certificate[] getClientCertificateChain()
  {
    try
@@ -516,6 +533,7 @@
  /**
   * {@inheritDoc}
   */
  @Override
  public String getName()
  {
    return "TLS";
@@ -526,24 +544,44 @@
  /**
   * {@inheritDoc}
   */
  @Override
  public int getSSF()
  {
    final String cipherString = sslEngine.getSession().getCipherSuite();
    for (final Map.Entry<String, Integer> mapEntry : CIPHER_MAP.entrySet())
    final Integer ssf = getSSF(sslEngine.getSession().getCipherSuite());
    if (ssf != null)
    {
      if (cipherString.indexOf(mapEntry.getKey()) >= 0)
      {
        return mapEntry.getValue().intValue();
      }
      return ssf.intValue();
    }
    return 0;
  }

  /**
   * Returns the Security Strength Factor corresponding to the supplied cipher
   * string.
   *
   * @param cipherString
   *          the cipher to test for SSF
   * @return the Security Strength Factor corresponding to the supplied cipher
   *         string, null if the cipher cannot be recognized.
   */
  static Integer getSSF(final String cipherString)
  {
    for (final Map.Entry<String, Integer> mapEntry : CIPHER_MAP.entrySet())
    {
      if (cipherString.contains(mapEntry.getKey()))
      {
        return mapEntry.getValue();
      }
    }
    return null;
  }



  /**
   * {@inheritDoc}
   */
  @Override
  public boolean isSecure()
  {
    return true;

 opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/extensions/TLSByteChannelTestCase.java

New file
@@ -0,0 +1,544 @@
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at
 * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
 * add the following below this CDDL HEADER, with the fields enclosed
 * by brackets "[]" replaced with your own identifying information:
 *      Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 *
 *      Copyright 2012-2013 ForgeRock AS
 */
package org.opends.server.extensions;

import static org.testng.Assert.*;

import java.io.BufferedInputStream;
import java.net.URL;
import java.net.URLConnection;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;

import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;

import com.forgerock.opendj.util.StaticUtils;

@Test(groups = { "slow" })
public class TLSByteChannelTestCase
{

  /**
   * Cipher suite hardcoded from the IANA registry on internet
   */
  static final String[][] HARDCODED_CIPHER_SUITE = new String[][] {
        { "TLS_NULL_WITH_NULL_NULL" },
        { "TLS_RSA_WITH_NULL_MD5" },
        { "TLS_RSA_WITH_NULL_SHA" },
        { "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
        { "TLS_RSA_WITH_RC4_128_MD5" },
        { "TLS_RSA_WITH_RC4_128_SHA" },
        { "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
        { "TLS_RSA_WITH_IDEA_CBC_SHA" },
        { "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
        { "TLS_RSA_WITH_DES_CBC_SHA" },
        { "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
        { "TLS_DH_DSS_WITH_DES_CBC_SHA" },
        { "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
        { "TLS_DH_RSA_WITH_DES_CBC_SHA" },
        { "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
        { "TLS_DH_anon_WITH_RC4_128_MD5" },
        { "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
        { "TLS_DH_anon_WITH_DES_CBC_SHA" },
        { "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_KRB5_WITH_DES_CBC_SHA" },
        { "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_KRB5_WITH_RC4_128_SHA" },
        { "TLS_KRB5_WITH_IDEA_CBC_SHA" },
        { "TLS_KRB5_WITH_DES_CBC_MD5" },
        { "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
        { "TLS_KRB5_WITH_RC4_128_MD5" },
        { "TLS_KRB5_WITH_IDEA_CBC_MD5" },
        { "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
        { "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
        { "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
        { "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
        { "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
        { "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
        { "TLS_PSK_WITH_NULL_SHA" },
        { "TLS_DHE_PSK_WITH_NULL_SHA" },
        { "TLS_RSA_PSK_WITH_NULL_SHA" },
        { "TLS_RSA_WITH_AES_128_CBC_SHA" },
        { "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
        { "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
        { "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
        { "TLS_RSA_WITH_AES_256_CBC_SHA" },
        { "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
        { "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
        { "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
        { "TLS_RSA_WITH_NULL_SHA256" },
        { "TLS_RSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_RSA_WITH_AES_256_CBC_SHA256" },
        { "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
        { "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
        { "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
        { "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
        { "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
        { "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
        { "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
        { "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
        { "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
        { "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
        { "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
        { "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
        { "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
        { "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
        { "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
        { "TLS_PSK_WITH_RC4_128_SHA" },
        { "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_PSK_WITH_AES_128_CBC_SHA" },
        { "TLS_PSK_WITH_AES_256_CBC_SHA" },
        { "TLS_DHE_PSK_WITH_RC4_128_SHA" },
        { "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
        { "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
        { "TLS_RSA_PSK_WITH_RC4_128_SHA" },
        { "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
        { "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
        { "TLS_RSA_WITH_SEED_CBC_SHA" },
        { "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
        { "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
        { "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
        { "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
        { "TLS_DH_anon_WITH_SEED_CBC_SHA" },
        { "TLS_RSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_RSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
        { "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
        { "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
        { "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
        { "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
        { "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
        { "TLS_PSK_WITH_AES_128_GCM_SHA256" },
        { "TLS_PSK_WITH_AES_256_GCM_SHA384" },
        { "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
        { "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
        { "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
        { "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
        { "TLS_PSK_WITH_AES_128_CBC_SHA256" },
        { "TLS_PSK_WITH_AES_256_CBC_SHA384" },
        { "TLS_PSK_WITH_NULL_SHA256" },
        { "TLS_PSK_WITH_NULL_SHA384" },
        { "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
        { "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
        { "TLS_DHE_PSK_WITH_NULL_SHA256" },
        { "TLS_DHE_PSK_WITH_NULL_SHA384" },
        { "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
        { "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
        { "TLS_RSA_PSK_WITH_NULL_SHA256" },
        { "TLS_RSA_PSK_WITH_NULL_SHA384" },
        { "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
        { "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
        { "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
        { "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
        { "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
        { "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
        { "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
        { "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
        { "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
        { "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
        { "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
        { "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
        { "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
        { "TLS_ECDH_RSA_WITH_NULL_SHA" },
        { "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
        { "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
        { "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
        { "TLS_ECDHE_RSA_WITH_NULL_SHA" },
        { "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
        { "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
        { "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
        { "TLS_ECDH_anon_WITH_NULL_SHA" },
        { "TLS_ECDH_anon_WITH_RC4_128_SHA" },
        { "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
        { "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
        { "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
        { "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
        { "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
        { "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
        { "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
        { "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
        { "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
        { "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
        { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
        { "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
        { "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
        { "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
        { "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
        { "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
        { "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
        { "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
        { "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
        { "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
        { "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
        { "TLS_ECDHE_PSK_WITH_NULL_SHA" },
        { "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
        { "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
        { "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
        { "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
        { "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
        { "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
        { "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
        { "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
        { "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
        { "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
        { "TLS_RSA_WITH_AES_128_CCM" },
        { "TLS_RSA_WITH_AES_256_CCM" },
        { "TLS_DHE_RSA_WITH_AES_128_CCM" },
        { "TLS_DHE_RSA_WITH_AES_256_CCM" },
        { "TLS_RSA_WITH_AES_128_CCM_8" },
        { "TLS_RSA_WITH_AES_256_CCM_8" },
        { "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
        { "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
        { "TLS_PSK_WITH_AES_128_CCM" },
        { "TLS_PSK_WITH_AES_256_CCM" },
        { "TLS_DHE_PSK_WITH_AES_128_CCM" },
        { "TLS_DHE_PSK_WITH_AES_256_CCM" },
        { "TLS_PSK_WITH_AES_128_CCM_8" },
        { "TLS_PSK_WITH_AES_256_CCM_8" },
        { "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
        { "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
        };

  /**
   * Retrieves the IANA TLS Cipher Suites Registry from internet.
   *
   * @return the IANA TLS Cipher Suites Registry
   */
  private String[][] retrieveIanaTlsCipherSuitesRegistryFromInternet()
      throws Exception
  {
    String url =
        "http://www.iana.org/assignments/tls-parameters/tls-parameters.xml";
    URLConnection conn = new URL(url).openConnection();
    BufferedInputStream bis = new BufferedInputStream(conn.getInputStream());

    try
    {
      // JAXP boilerplate
      DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
      DocumentBuilder builder = dbFactory.newDocumentBuilder();
      Document doc = builder.parse(bis);
      XPathFactory xpathFactory = XPathFactory.newInstance();
      XPath xpath = xpathFactory.newXPath();

      // Collect cipher suite
      String xPathExpr =
          "//registry[@id='tls-parameters-4']/record/description/text()";
      List<String> realCiphers = retrieveRealCiphers(doc, xpath, xPathExpr);
      return toDataProviderResult(realCiphers);
    }
    finally
    {
      StaticUtils.closeSilently(bis);
    }
  }

  private String[][] toDataProviderResult(List<String> realCiphers)
  {
    String[][] results = new String[realCiphers.size()][1];
    for (ListIterator<String> iter = realCiphers.listIterator(); iter.hasNext();)
    {
      final String cipherString = iter.next();
      int i = iter.nextIndex();
      results[i][0] = cipherString;
    }
    return results;
  }

  private List<String> retrieveRealCiphers(Document doc, XPath xpath,
      String xPathExpr) throws XPathExpressionException
  {
    NodeList nodes =
        (NodeList) xpath.evaluate(xPathExpr, doc, XPathConstants.NODESET);
    List<String> cipherStrings = new ArrayList<String>(nodes.getLength());
    for (int i = 0; i < nodes.getLength(); i++)
    {
      String cipherString = nodes.item(i).getNodeValue();
      // ignore things like "unknown", "reserved", etc.
      // also ignore the TLS Secure Renegotiation protocol message
      if (cipherString.startsWith("TLS_")
          && !"TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipherString))
      {
        cipherStrings.add(cipherString);
      }
    }
    return cipherStrings;
  }

  @DataProvider(name = "ianaTlsCipherSuitesRegistry")
  public String[][] getIanaTlsCipherSuitesRegistry() throws Exception
  {
    try
    {
      return retrieveIanaTlsCipherSuitesRegistryFromInternet();
    }
    catch (Exception e)
    {
      // we could not get access to the internet registry,
      // return the hardcoded registry
      return HARDCODED_CIPHER_SUITE;
    }
  }

  /**
   * Checks that all the IANA registered ciphers are supported by
   * {@link TLSByteChannel#getSSF()}.
   *
   * @param cipherString
   *          cipher to be tested
   */
  @Test(dataProvider = "ianaTlsCipherSuitesRegistry")
  public void getSsfForIanaRegistryCipherSuites(String cipherString)
  {
    assertNotNull(TLSByteChannel.getSSF(cipherString));
  }

  /**
   * Checks that the IANA cipher suite registry on internet and the hardcoded
   * cipher suite in this class have not diverged.
   */
  @Test
  public void compareInternetAndHardcodedRegistry() throws Exception
  {
    Set<String> internetCiphers = toSet(getIanaTlsCipherSuitesRegistry());
    Set<String> hardcodedCiphers = toSet(HARDCODED_CIPHER_SUITE);
    assertEquals(internetCiphers, hardcodedCiphers);
  }

  private Set<String> toSet(String[][] data)
  {
    Set<String> set = new HashSet<String>();
    for (String[] array : data)
    {
      for (String s : array)
      {
        set.add(s);
      }
    }
    return set;
  }

  /**
   * Ensures that there is no overlapping in the DES ciphers strings and that
   * the expected Security Strength Factor are returned.
   */
  @Test
  public void checkDesSSFAreAsExpected()
  {
    assertEquals((Integer) 56, TLSByteChannel
        .getSSF("TLS_KRB5_WITH_DES_CBC_SHA"));
    assertEquals((Integer) 40, TLSByteChannel
        .getSSF("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"));
  }

  /**
   * Ensures that no new overlapping cipher strings are added to the cipher map.
   */
  @Test
  public void checkNoUnknownOverlappingCiphers()
  {
    List<String> ciphers = new ArrayList(TLSByteChannel.CIPHER_MAP.keySet());
    for (int i = 0; i < ciphers.size(); i++)
    {
      for (int j = 0; j < i; j++)
      {
        String s1 = ciphers.get(i);
        String s2 = ciphers.get(j);
        if (s1.contains(s2) || s2.contains(s1))
        {
          if (not(s1, s2, "_WITH_DES_", "_WITH_DES_CBC_40_"))
          {
            fail("Overlapping cipher strings" + s1 + "\t" + s2);
          }
        }
      }
    }
  }

  /**
   * Ensure the set (cipher1, cipher2) is different from the set (match1,
   * match2).
   */
  private boolean not(String cipher1, String cipher2, String match1,
      String match2)
  {
    return (!cipher1.equals(match1) || !cipher2.equals(match2))
        && (!cipher2.equals(match1) || !cipher1.equals(match2));
  }

}

			@@ -23,25 +23,29 @@
			*
			*
			* Copyright 2008-2009 Sun Microsystems, Inc.
			* Portions copyright 2012 ForgeRock AS.
			* Portions copyright 2012-2013 ForgeRock AS
			*/
			package org.opends.server.extensions;



			import static org.opends.server.loggers.debug.DebugLogger.debugEnabled;
			import static org.opends.server.loggers.debug.DebugLogger.getTracer;
			import static org.opends.server.loggers.debug.DebugLogger.*;

			import java.io.IOException;
			import java.nio.ByteBuffer;
			import java.nio.channels.ByteChannel;
			import java.nio.channels.ClosedChannelException;
			import java.security.cert.Certificate;
			import java.util.Collections;
			import java.util.LinkedHashMap;
			import java.util.Map;

			import javax.net.ssl.*;
			import javax.net.ssl.SSLEngine;
			import javax.net.ssl.SSLEngineResult;
			import javax.net.ssl.SSLEngineResult.HandshakeStatus;
			import javax.net.ssl.SSLException;
			import javax.net.ssl.SSLPeerUnverifiedException;
			import javax.net.ssl.SSLSession;

			import org.opends.server.loggers.debug.DebugTracer;
			import org.opends.server.types.DebugLogLevel;
			@@ -62,6 +66,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public void close() throws IOException
			{
			synchronized (readLock)
			@@ -114,6 +119,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public boolean isOpen()
			{
			return !sslEngine.isOutboundDone() \|\| !sslEngine.isInboundDone();
			@@ -124,6 +130,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public int read(final ByteBuffer unwrappedData) throws IOException
			{
			synchronized (readLock)
			@@ -165,6 +172,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public int write(final ByteBuffer unwrappedData) throws IOException
			{
			// This method will block until the entire message is sent.
			@@ -405,30 +413,37 @@



			// Map of cipher phrases to effective key size (bits). Taken from the
			// following RFCs: 5289, 4346, 3268,4132 and 4162.
			private static final Map<String, Integer> CIPHER_MAP;
			/**
			* Map of cipher phrases to effective key size (bits). Taken from the
			* following RFCs: 5289, 4346, 3268,4132 and 4162.
			*
			* @see <a
			* href="http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3">Transport
			* Layer Security (TLS) Parameters, TLS Cipher Suite Registry</a>
			*/
			static final Map<String, Integer> CIPHER_MAP;
			static
			{
			CIPHER_MAP = new LinkedHashMap<String, Integer>();
			CIPHER_MAP.put("_WITH_AES_256_CBC_", new Integer(256));
			CIPHER_MAP.put("_WITH_CAMELLIA_256_CBC_", new Integer(256));
			CIPHER_MAP.put("_WITH_AES_256_GCM_", new Integer(256));
			CIPHER_MAP.put("_WITH_3DES_EDE_CBC_", new Integer(112));
			CIPHER_MAP.put("_WITH_AES_128_GCM_", new Integer(128));
			CIPHER_MAP.put("_WITH_SEED_CBC_", new Integer(128));
			CIPHER_MAP.put("_WITH_CAMELLIA_128_CBC_", new Integer(128));
			CIPHER_MAP.put("_WITH_AES_128_CBC_", new Integer(128));
			CIPHER_MAP.put("_WITH_IDEA_CBC_", new Integer(128));
			CIPHER_MAP.put("_WITH_RC4_128_", new Integer(128));
			CIPHER_MAP.put("_WITH_FORTEZZA_CBC_", new Integer(96));
			CIPHER_MAP.put("_WITH_DES_CBC_", new Integer(56));
			CIPHER_MAP.put("_WITH_RC4_56_", new Integer(56));
			CIPHER_MAP.put("_WITH_DES_CBC_40_", new Integer(40));
			CIPHER_MAP.put("_WITH_RC2_CBC_40_", new Integer(40));
			CIPHER_MAP.put("_WITH_RC4_40_", new Integer(40));
			CIPHER_MAP.put("_WITH_DES40_CBC_", new Integer(40));
			CIPHER_MAP.put("_WITH_NULL_", new Integer(0));
			final Map<String, Integer> map = new LinkedHashMap<String, Integer>();
			map.put("_WITH_AES_256_", 256);
			map.put("_WITH_ARIA_256_", 256);
			map.put("_WITH_CAMELLIA_256_", 256);
			map.put("_WITH_AES_128_", 128);
			map.put("_WITH_ARIA_128_", 128);
			map.put("_WITH_SEED_", 128);
			map.put("_WITH_CAMELLIA_128_", 128);
			map.put("_WITH_IDEA_", 128);
			map.put("_WITH_RC4_128_", 128);
			map.put("_WITH_3DES_EDE_", 112);
			map.put("_WITH_FORTEZZA_", 96);
			map.put("_WITH_RC4_56_", 56);
			map.put("_WITH_DES_CBC_40_", 40);
			map.put("_WITH_RC2_CBC_40_", 40);
			map.put("_WITH_RC4_40_", 40);
			map.put("_WITH_DES40_", 40);
			map.put("_WITH_DES_", 56);
			map.put("_WITH_NULL_", 0);
			CIPHER_MAP = Collections.unmodifiableMap(map);
			}

			private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocate(0);
			@@ -485,6 +500,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public ByteChannel getChannel()
			{
			return pimpl;
			@@ -495,6 +511,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public Certificate[] getClientCertificateChain()
			{
			try
			@@ -516,6 +533,7 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public String getName()
			{
			return "TLS";
			@@ -526,24 +544,44 @@
			/**
			* {@inheritDoc}
			*/
			@Override
			public int getSSF()
			{
			final String cipherString = sslEngine.getSession().getCipherSuite();
			for (final Map.Entry<String, Integer> mapEntry : CIPHER_MAP.entrySet())
			final Integer ssf = getSSF(sslEngine.getSession().getCipherSuite());
			if (ssf != null)
			{
			if (cipherString.indexOf(mapEntry.getKey()) >= 0)
			{
			return mapEntry.getValue().intValue();
			}
			return ssf.intValue();
			}
			return 0;
			}

			/**
			* Returns the Security Strength Factor corresponding to the supplied cipher
			* string.
			*
			* @param cipherString
			* the cipher to test for SSF
			* @return the Security Strength Factor corresponding to the supplied cipher
			* string, null if the cipher cannot be recognized.
			*/
			static Integer getSSF(final String cipherString)
			{
			for (final Map.Entry<String, Integer> mapEntry : CIPHER_MAP.entrySet())
			{
			if (cipherString.contains(mapEntry.getKey()))
			{
			return mapEntry.getValue();
			}
			}
			return null;
			}



			/**
			* {@inheritDoc}
			*/
			@Override
			public boolean isSecure()
			{
			return true;

New file
			@@ -0,0 +1,544 @@
			/*
			* CDDL HEADER START
			*
			* The contents of this file are subject to the terms of the
			* Common Development and Distribution License, Version 1.0 only
			* (the "License"). You may not use this file except in compliance
			* with the License.
			*
			* You can obtain a copy of the license at
			* trunk/opends/resource/legal-notices/OpenDS.LICENSE
			* or https://OpenDS.dev.java.net/OpenDS.LICENSE.
			* See the License for the specific language governing permissions
			* and limitations under the License.
			*
			* When distributing Covered Code, include this CDDL HEADER in each
			* file and include the License file at
			* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
			* add the following below this CDDL HEADER, with the fields enclosed
			* by brackets "[]" replaced with your own identifying information:
			* Portions Copyright [yyyy] [name of copyright owner]
			*
			* CDDL HEADER END
			*
			*
			* Copyright 2012-2013 ForgeRock AS
			*/
			package org.opends.server.extensions;

			import static org.testng.Assert.*;

			import java.io.BufferedInputStream;
			import java.net.URL;
			import java.net.URLConnection;
			import java.util.ArrayList;
			import java.util.HashSet;
			import java.util.List;
			import java.util.ListIterator;
			import java.util.Set;

			import javax.xml.parsers.DocumentBuilder;
			import javax.xml.parsers.DocumentBuilderFactory;
			import javax.xml.xpath.XPath;
			import javax.xml.xpath.XPathConstants;
			import javax.xml.xpath.XPathExpressionException;
			import javax.xml.xpath.XPathFactory;

			import org.testng.annotations.DataProvider;
			import org.testng.annotations.Test;
			import org.w3c.dom.Document;
			import org.w3c.dom.NodeList;

			import com.forgerock.opendj.util.StaticUtils;

			@Test(groups = { "slow" })
			public class TLSByteChannelTestCase
			{

			/**
			* Cipher suite hardcoded from the IANA registry on internet
			*/
			static final String[][] HARDCODED_CIPHER_SUITE = new String[][] {
			{ "TLS_NULL_WITH_NULL_NULL" },
			{ "TLS_RSA_WITH_NULL_MD5" },
			{ "TLS_RSA_WITH_NULL_SHA" },
			{ "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
			{ "TLS_RSA_WITH_RC4_128_MD5" },
			{ "TLS_RSA_WITH_RC4_128_SHA" },
			{ "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
			{ "TLS_RSA_WITH_IDEA_CBC_SHA" },
			{ "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
			{ "TLS_RSA_WITH_DES_CBC_SHA" },
			{ "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_DES_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_DES_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
			{ "TLS_DH_anon_WITH_RC4_128_MD5" },
			{ "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
			{ "TLS_DH_anon_WITH_DES_CBC_SHA" },
			{ "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_KRB5_WITH_DES_CBC_SHA" },
			{ "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_KRB5_WITH_RC4_128_SHA" },
			{ "TLS_KRB5_WITH_IDEA_CBC_SHA" },
			{ "TLS_KRB5_WITH_DES_CBC_MD5" },
			{ "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
			{ "TLS_KRB5_WITH_RC4_128_MD5" },
			{ "TLS_KRB5_WITH_IDEA_CBC_MD5" },
			{ "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
			{ "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
			{ "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
			{ "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
			{ "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
			{ "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
			{ "TLS_PSK_WITH_NULL_SHA" },
			{ "TLS_DHE_PSK_WITH_NULL_SHA" },
			{ "TLS_RSA_PSK_WITH_NULL_SHA" },
			{ "TLS_RSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
			{ "TLS_RSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
			{ "TLS_RSA_WITH_NULL_SHA256" },
			{ "TLS_RSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_RSA_WITH_AES_256_CBC_SHA256" },
			{ "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
			{ "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
			{ "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
			{ "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
			{ "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
			{ "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
			{ "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
			{ "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
			{ "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
			{ "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
			{ "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
			{ "TLS_PSK_WITH_RC4_128_SHA" },
			{ "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_PSK_WITH_AES_128_CBC_SHA" },
			{ "TLS_PSK_WITH_AES_256_CBC_SHA" },
			{ "TLS_DHE_PSK_WITH_RC4_128_SHA" },
			{ "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
			{ "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
			{ "TLS_RSA_PSK_WITH_RC4_128_SHA" },
			{ "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
			{ "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
			{ "TLS_RSA_WITH_SEED_CBC_SHA" },
			{ "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
			{ "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
			{ "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
			{ "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
			{ "TLS_DH_anon_WITH_SEED_CBC_SHA" },
			{ "TLS_RSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_RSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
			{ "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
			{ "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
			{ "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
			{ "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
			{ "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
			{ "TLS_PSK_WITH_AES_128_GCM_SHA256" },
			{ "TLS_PSK_WITH_AES_256_GCM_SHA384" },
			{ "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
			{ "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
			{ "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
			{ "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
			{ "TLS_PSK_WITH_AES_128_CBC_SHA256" },
			{ "TLS_PSK_WITH_AES_256_CBC_SHA384" },
			{ "TLS_PSK_WITH_NULL_SHA256" },
			{ "TLS_PSK_WITH_NULL_SHA384" },
			{ "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
			{ "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
			{ "TLS_DHE_PSK_WITH_NULL_SHA256" },
			{ "TLS_DHE_PSK_WITH_NULL_SHA384" },
			{ "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
			{ "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
			{ "TLS_RSA_PSK_WITH_NULL_SHA256" },
			{ "TLS_RSA_PSK_WITH_NULL_SHA384" },
			{ "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
			{ "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
			{ "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
			{ "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
			{ "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
			{ "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
			{ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
			{ "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
			{ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
			{ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_ECDH_RSA_WITH_NULL_SHA" },
			{ "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
			{ "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_ECDHE_RSA_WITH_NULL_SHA" },
			{ "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
			{ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_ECDH_anon_WITH_NULL_SHA" },
			{ "TLS_ECDH_anon_WITH_RC4_128_SHA" },
			{ "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
			{ "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
			{ "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
			{ "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
			{ "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
			{ "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
			{ "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
			{ "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
			{ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
			{ "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
			{ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
			{ "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
			{ "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
			{ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
			{ "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
			{ "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
			{ "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
			{ "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
			{ "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
			{ "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
			{ "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
			{ "TLS_ECDHE_PSK_WITH_NULL_SHA" },
			{ "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
			{ "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
			{ "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
			{ "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
			{ "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
			{ "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
			{ "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
			{ "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
			{ "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
			{ "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
			{ "TLS_RSA_WITH_AES_128_CCM" },
			{ "TLS_RSA_WITH_AES_256_CCM" },
			{ "TLS_DHE_RSA_WITH_AES_128_CCM" },
			{ "TLS_DHE_RSA_WITH_AES_256_CCM" },
			{ "TLS_RSA_WITH_AES_128_CCM_8" },
			{ "TLS_RSA_WITH_AES_256_CCM_8" },
			{ "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
			{ "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
			{ "TLS_PSK_WITH_AES_128_CCM" },
			{ "TLS_PSK_WITH_AES_256_CCM" },
			{ "TLS_DHE_PSK_WITH_AES_128_CCM" },
			{ "TLS_DHE_PSK_WITH_AES_256_CCM" },
			{ "TLS_PSK_WITH_AES_128_CCM_8" },
			{ "TLS_PSK_WITH_AES_256_CCM_8" },
			{ "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
			{ "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
			};

			/**
			* Retrieves the IANA TLS Cipher Suites Registry from internet.
			*
			* @return the IANA TLS Cipher Suites Registry
			*/
			private String[][] retrieveIanaTlsCipherSuitesRegistryFromInternet()
			throws Exception
			{
			String url =
			"http://www.iana.org/assignments/tls-parameters/tls-parameters.xml";
			URLConnection conn = new URL(url).openConnection();
			BufferedInputStream bis = new BufferedInputStream(conn.getInputStream());

			try
			{
			// JAXP boilerplate
			DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
			DocumentBuilder builder = dbFactory.newDocumentBuilder();
			Document doc = builder.parse(bis);
			XPathFactory xpathFactory = XPathFactory.newInstance();
			XPath xpath = xpathFactory.newXPath();

			// Collect cipher suite
			String xPathExpr =
			"//registry[@id='tls-parameters-4']/record/description/text()";
			List<String> realCiphers = retrieveRealCiphers(doc, xpath, xPathExpr);
			return toDataProviderResult(realCiphers);
			}
			finally
			{
			StaticUtils.closeSilently(bis);
			}
			}

			private String[][] toDataProviderResult(List<String> realCiphers)
			{
			String[][] results = new String[realCiphers.size()][1];
			for (ListIterator<String> iter = realCiphers.listIterator(); iter.hasNext();)
			{
			final String cipherString = iter.next();
			int i = iter.nextIndex();
			results[i][0] = cipherString;
			}
			return results;
			}

			private List<String> retrieveRealCiphers(Document doc, XPath xpath,
			String xPathExpr) throws XPathExpressionException
			{
			NodeList nodes =
			(NodeList) xpath.evaluate(xPathExpr, doc, XPathConstants.NODESET);
			List<String> cipherStrings = new ArrayList<String>(nodes.getLength());
			for (int i = 0; i < nodes.getLength(); i++)
			{
			String cipherString = nodes.item(i).getNodeValue();
			// ignore things like "unknown", "reserved", etc.
			// also ignore the TLS Secure Renegotiation protocol message
			if (cipherString.startsWith("TLS_")
			&& !"TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipherString))
			{
			cipherStrings.add(cipherString);
			}
			}
			return cipherStrings;
			}

			@DataProvider(name = "ianaTlsCipherSuitesRegistry")
			public String[][] getIanaTlsCipherSuitesRegistry() throws Exception
			{
			try
			{
			return retrieveIanaTlsCipherSuitesRegistryFromInternet();
			}
			catch (Exception e)
			{
			// we could not get access to the internet registry,
			// return the hardcoded registry
			return HARDCODED_CIPHER_SUITE;
			}
			}

			/**
			* Checks that all the IANA registered ciphers are supported by
			* {@link TLSByteChannel#getSSF()}.
			*
			* @param cipherString
			* cipher to be tested
			*/
			@Test(dataProvider = "ianaTlsCipherSuitesRegistry")
			public void getSsfForIanaRegistryCipherSuites(String cipherString)
			{
			assertNotNull(TLSByteChannel.getSSF(cipherString));
			}

			/**
			* Checks that the IANA cipher suite registry on internet and the hardcoded
			* cipher suite in this class have not diverged.
			*/
			@Test
			public void compareInternetAndHardcodedRegistry() throws Exception
			{
			Set<String> internetCiphers = toSet(getIanaTlsCipherSuitesRegistry());
			Set<String> hardcodedCiphers = toSet(HARDCODED_CIPHER_SUITE);
			assertEquals(internetCiphers, hardcodedCiphers);
			}

			private Set<String> toSet(String[][] data)
			{
			Set<String> set = new HashSet<String>();
			for (String[] array : data)
			{
			for (String s : array)
			{
			set.add(s);
			}
			}
			return set;
			}

			/**
			* Ensures that there is no overlapping in the DES ciphers strings and that
			* the expected Security Strength Factor are returned.
			*/
			@Test
			public void checkDesSSFAreAsExpected()
			{
			assertEquals((Integer) 56, TLSByteChannel
			.getSSF("TLS_KRB5_WITH_DES_CBC_SHA"));
			assertEquals((Integer) 40, TLSByteChannel
			.getSSF("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"));
			}

			/**
			* Ensures that no new overlapping cipher strings are added to the cipher map.
			*/
			@Test
			public void checkNoUnknownOverlappingCiphers()
			{
			List<String> ciphers = new ArrayList(TLSByteChannel.CIPHER_MAP.keySet());
			for (int i = 0; i < ciphers.size(); i++)
			{
			for (int j = 0; j < i; j++)
			{
			String s1 = ciphers.get(i);
			String s2 = ciphers.get(j);
			if (s1.contains(s2) \|\| s2.contains(s1))
			{
			if (not(s1, s2, "_WITH_DES_", "_WITH_DES_CBC_40_"))
			{
			fail("Overlapping cipher strings" + s1 + "\t" + s2);
			}
			}
			}
			}
			}

			/**
			* Ensure the set (cipher1, cipher2) is different from the set (match1,
			* match2).
			*/
			private boolean not(String cipher1, String cipher2, String match1,
			String match2)
			{
			return (!cipher1.equals(match1) \|\| !cipher2.equals(match2))
			&& (!cipher2.equals(match1) \|\| !cipher1.equals(match2));
			}

			}