#2618 Need to add property to disable weak cipher suites for the secure indication

Security
closed-fixed
jsr48-client
5
2013-09-19
2013-02-22
Samuel
No

The sblim client uses the cipher suites provided by the JRE during ssl connection such as secure indication with cimom,but it may contains some weak cipher suites, which should be disabled. So it needs to add a property for the weak cipher suites defined by users, then users can disable them.

2 Attachments

Related

Bugs: #2618

Discussion

  • Dave Blaschke

    Dave Blaschke - 2013-02-23
    • assigned_to: Dave Blaschke
     
  • chen wang

    chen wang - 2013-02-25

    Dave, as we talked, a property (something like sblim.wbem.ignoreCipherSuites) is needed to filter out weak cipher so that weak ones would not be used during CIM calls or indications.

     
  • Dave Blaschke

    Dave Blaschke - 2013-02-25

    So you are asking for a property that contains a comma-separated list of cipher suites that should be filtered out of the SSLSocket.getSupportedCipherSuites() and then passed to SSLSocket.setEnabledCipherSuites(), correct?

    You can already set the list of cipher suites you want to use via https.cipherSuites for outgoing requests, would it be sufficient to add support for this property to incoming requests (indications) as well?

     
  • Dave Blaschke

    Dave Blaschke - 2013-02-25
    • status: open --> open-accepted
     
  • Samuel

    Samuel - 2013-02-25

    Yes, it's correct that i need a property to filter out some given cipher
    suites. And sometimes it's inconvenient to use the https.ciherSuites to set
    the list of cihper suites we want to use since the list are rather long and
    we just want to filter out few of them. It's easier and more elegant to do
    the filter job if this property is added.

    From: "Dave Blaschke" blaschke-oss@users.sf.net
    To: "[sblim:bugs] " 2618@bugs.sblim.p.re.sf.net
    Date: 2013/02/25 20:29
    Subject: [sblim:bugs] #2618 Need to add property to disable weak cipher
    suites for the secure indication

    So you are asking for a property that contains a comma-separated list of
    cipher suites that should be filtered out of the
    SSLSocket.getSupportedCipherSuites() and then passed to
    SSLSocket.setEnabledCipherSuites(), correct?

    You can already set the list of cipher suites you want to use via
    https.cipherSuites for outgoing requests, would it be sufficient to add
    support for this property to incoming requests (indications) as well?

    [bugs:#2618] Need to add property to disable weak cipher suites for the
    secure indication

    Status: open
    Created: Fri Feb 22, 2013 06:53 AM UTC by Samuel
    Last Updated: Mon Feb 25, 2013 06:25 AM UTC
    Owner: Dave Blaschke

    The sblim client uses the cipher suites provided by the JRE during ssl
    connection such as secure indication with cimom,but it may contains some
    weak cipher suites, which should be disabled. So it needs to add a property
    for the weak cipher suites defined by users, then users can disable them.

    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/sblim/bugs/2618/

    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/prefs/

     

    Related

    Bugs: #2618

  • Dave Blaschke

    Dave Blaschke - 2013-02-25

    Two questions:

    1) Would you prefer to start with the supported cipher suites or enabled cipher suites? I would think the latter since that is what the JRE has enabled by default, while using the former would add quite a few more (on my Java 5 system, there are 18 enabled suites but 36 supported).

    2) Would you want the property read and cipher suites set every time a socket is initialized, or is once per WBEMClient acceptable?

     
  • Samuel

    Samuel - 2013-02-26

    1) I agree with you that we should prefer to the enabled cipher suites,
    which is more meaningful to us.

    2)I'm not sure whether the latter could work or not, since there's no
    actual connection when we get a WBEMClient, no socket is created on that
    time. And in the current sblim code, it uses the former for the outgoing
    request, would it be ok for the ingoing request(secure indication) to use
    the former?

     
  • Dave Blaschke

    Dave Blaschke - 2013-02-26

    With regard to #2, it would be more of a lazy initialization in that the property would be read in once and the desired cipher suites determined once per WBEMClient, probably during the first HttpClient initialization. In the other case, the property would be read and suites determined every time HttpClient.resetSocket is called for a new connection, which could be multiple times per HttpClient.

    The way you should look at answering the questions is, are the enabled cipher suites always going to be the same for every connection in a WBEMClient instance or not? I would think they should be.

    Something you said in answering #2 and the title of the bug lead me to another question:

    3) Is this logic just for incoming secure indications, or should the cipher suites be set for outgoing secure requests too?

     
  • Dave Blaschke

    Dave Blaschke - 2013-02-26

    Chatted with Samuel, the answer to #2 is once and the answer to #3 is both

     
  • Dave Blaschke

    Dave Blaschke - 2013-02-26

    The proposed patch is attached. It determines the set of enabled cipher suites once per client (HttpClientPool) and once per listener (HttpServerConnection). The new property is sblim.wbem.sslCipherSuitesToDisable.

     
  • Dave Blaschke

    Dave Blaschke - 2013-03-04

    Any comments on the proposed patch? Code cutoff for next release is this Friday, March 8...

     
  • Samuel

    Samuel - 2013-03-05

    Sorry for the late response, as i have to take some time to test. The
    proposed patch works well.

     
  • Dave Blaschke

    Dave Blaschke - 2013-03-05
    • status: open-accepted --> open-fixed
     
  • Dave Blaschke

    Dave Blaschke - 2013-03-05

    Patch sent for community review. During a 2 week period any exploiter may comment on the patch, request changes or turn it down completely (with good reason). For the time being the patch is part of the "Experimental" branch in CVS.

     
  • Dave Blaschke

    Dave Blaschke - 2013-03-05

    Please note that, due to the upcoming release on March 15, comments must be received by March 14.

    Also, please note that the patch includes some tracing.

     
  • Dave Blaschke

    Dave Blaschke - 2013-03-14

    The community review is completed and we received no substantial criticism. Therefore the patch has been approved and merged into the "HEAD" branch. The next release will pick it up.

     
  • Dave Blaschke

    Dave Blaschke - 2013-03-14
    • status: open-fixed --> pending-fixed
     
  • Tyrel Datwyler

    Tyrel Datwyler - 2013-03-14

    I will be out of the office starting 03/13/2013 and will not return until
    03/18/2013.

    During this time I will not have access to email. In the case of any urgent
    issues please contact my back up David Heller.

     
  • Dave Blaschke

    Dave Blaschke - 2013-03-15
    • status: pending-fixed --> closed-fixed
     
  • Dave Blaschke

    Dave Blaschke - 2013-03-15

    The patch was picked up by release 2.2.2 and will be closed.

     
  • Rick Blasiak

    Rick Blasiak - 2013-03-15

    I am out of the office until 03/18/2013.

    For CME-CIM technical issues contact Sameer Shaikh

    Or contact my manager: (backup Jim Green )

    I will not have access to Notes during my absence

    Note: This is an automated response to your message "[sblim:bugs] #2618
    Need to add property to disable weak cipher suites for the secure
    indication" sent on 03/15/2013 10:01:38.

    This is the only notification you will receive while this person is away.

     
  • Dave Blaschke

    Dave Blaschke - 2013-09-19
    • labels: --> Java Client (JSR48)
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks