Disable TLS_DHE_DSS_WITH_AES_128_CBC_SHA

core/java/src/net/i2p/util/I2PSSLSocketFactory.java

@@ -204,7 +204,15 @@ public class I2PSSLSocketFactory {
         "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
         "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
+        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+        // following is disabled because it is weak
+        // see e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1107787
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
+        // ??? "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
+        //
+        //  NOTE:
+        //  If you add anything here, please also add to installer/resources/eepsite/jetty-ssl.xml
+        //
     }));
 
     /**

installer/resources/eepsite/jetty-ssl.xml

@@ -248,6 +248,8 @@
             <Item>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</Item>
             <Item>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
+            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
+            <!-- Please keep this list in sync with the one in I2PSSLSocketFactory -->
           </Array>
         </Set>
       </New>