Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2618 Need to add property to disable weak cipher suites for the secure indication

Security
closed-fixed
Dave Blaschke
jsr48-client
5
2013-09-19
2013-02-22
Samuel
No

The sblim client uses the cipher suites provided by the JRE during ssl connection such as secure indication with cimom,but it may contains some weak cipher suites, which should be disabled. So it needs to add a property for the weak cipher suites defined by users, then users can disable them.

2 Attachments

Related

Bugs: #2618

Discussion

1 2 3 > >> (Page 1 of 3)
  • Dave Blaschke
    Dave Blaschke
    2013-02-23

    • assigned_to: Dave Blaschke
     
  • chen wang
    chen wang
    2013-02-25

    Dave, as we talked, a property (something like sblim.wbem.ignoreCipherSuites) is needed to filter out weak cipher so that weak ones would not be used during CIM calls or indications.

     
  • Dave Blaschke
    Dave Blaschke
    2013-02-25

    So you are asking for a property that contains a comma-separated list of cipher suites that should be filtered out of the SSLSocket.getSupportedCipherSuites() and then passed to SSLSocket.setEnabledCipherSuites(), correct?

    You can already set the list of cipher suites you want to use via https.cipherSuites for outgoing requests, would it be sufficient to add support for this property to incoming requests (indications) as well?

     
  • Dave Blaschke
    Dave Blaschke
    2013-02-25

    • status: open --> open-accepted
     
  • Samuel
    Samuel
    2013-02-25

    Yes, it's correct that i need a property to filter out some given cipher
    suites. And sometimes it's inconvenient to use the https.ciherSuites to set
    the list of cihper suites we want to use since the list are rather long and
    we just want to filter out few of them. It's easier and more elegant to do
    the filter job if this property is added.

    From: "Dave Blaschke" blaschke-oss@users.sf.net
    To: "[sblim:bugs] " 2618@bugs.sblim.p.re.sf.net
    Date: 2013/02/25 20:29
    Subject: [sblim:bugs] #2618 Need to add property to disable weak cipher
    suites for the secure indication

    So you are asking for a property that contains a comma-separated list of
    cipher suites that should be filtered out of the
    SSLSocket.getSupportedCipherSuites() and then passed to
    SSLSocket.setEnabledCipherSuites(), correct?

    You can already set the list of cipher suites you want to use via
    https.cipherSuites for outgoing requests, would it be sufficient to add
    support for this property to incoming requests (indications) as well?

    [bugs:#2618] Need to add property to disable weak cipher suites for the
    secure indication

    Status: open
    Created: Fri Feb 22, 2013 06:53 AM UTC by Samuel
    Last Updated: Mon Feb 25, 2013 06:25 AM UTC
    Owner: Dave Blaschke

    The sblim client uses the cipher suites provided by the JRE during ssl
    connection such as secure indication with cimom,but it may contains some
    weak cipher suites, which should be disabled. So it needs to add a property
    for the weak cipher suites defined by users, then users can disable them.

    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/sblim/bugs/2618/

    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/prefs/

     

    Related

    Bugs: #2618

  • Dave Blaschke
    Dave Blaschke
    2013-02-25

    Two questions:

    1) Would you prefer to start with the supported cipher suites or enabled cipher suites? I would think the latter since that is what the JRE has enabled by default, while using the former would add quite a few more (on my Java 5 system, there are 18 enabled suites but 36 supported).

    2) Would you want the property read and cipher suites set every time a socket is initialized, or is once per WBEMClient acceptable?

     
  • Samuel
    Samuel
    2013-02-26

    1) I agree with you that we should prefer to the enabled cipher suites,
    which is more meaningful to us.

    2)I'm not sure whether the latter could work or not, since there's no
    actual connection when we get a WBEMClient, no socket is created on that
    time. And in the current sblim code, it uses the former for the outgoing
    request, would it be ok for the ingoing request(secure indication) to use
    the former?

     
  • Dave Blaschke
    Dave Blaschke
    2013-02-26

    With regard to #2, it would be more of a lazy initialization in that the property would be read in once and the desired cipher suites determined once per WBEMClient, probably during the first HttpClient initialization. In the other case, the property would be read and suites determined every time HttpClient.resetSocket is called for a new connection, which could be multiple times per HttpClient.

    The way you should look at answering the questions is, are the enabled cipher suites always going to be the same for every connection in a WBEMClient instance or not? I would think they should be.

    Something you said in answering #2 and the title of the bug lead me to another question:

    3) Is this logic just for incoming secure indications, or should the cipher suites be set for outgoing secure requests too?

     
  • Dave Blaschke
    Dave Blaschke
    2013-02-26

    Chatted with Samuel, the answer to #2 is once and the answer to #3 is both

     
  • Dave Blaschke
    Dave Blaschke
    2013-02-26

    The proposed patch is attached. It determines the set of enabled cipher suites once per client (HttpClientPool) and once per listener (HttpServerConnection). The new property is sblim.wbem.sslCipherSuitesToDisable.

     
1 2 3 > >> (Page 1 of 3)