The sblim client uses the cipher suites provided by the JRE during ssl connection such as secure indication with cimom,but it may contains some weak cipher suites, which should be disabled. So it needs to add a property for the weak cipher suites defined by users, then users can disable them.
Dave, as we talked, a property (something like sblim.wbem.ignoreCipherSuites) is needed to filter out weak cipher so that weak ones would not be used during CIM calls or indications.
So you are asking for a property that contains a comma-separated list of cipher suites that should be filtered out of the SSLSocket.getSupportedCipherSuites() and then passed to SSLSocket.setEnabledCipherSuites(), correct?
You can already set the list of cipher suites you want to use via https.cipherSuites for outgoing requests, would it be sufficient to add support for this property to incoming requests (indications) as well?
Yes, it's correct that i need a property to filter out some given cipher
suites. And sometimes it's inconvenient to use the https.ciherSuites to set
the list of cihper suites we want to use since the list are rather long and
we just want to filter out few of them. It's easier and more elegant to do
the filter job if this property is added.
From: "Dave Blaschke" blaschke-oss@users.sf.net
To: "[sblim:bugs] " 2618@bugs.sblim.p.re.sf.net
Date: 2013/02/25 20:29
Subject: [sblim:bugs] #2618 Need to add property to disable weak cipher
suites for the secure indication
So you are asking for a property that contains a comma-separated list of
cipher suites that should be filtered out of the
SSLSocket.getSupportedCipherSuites() and then passed to
SSLSocket.setEnabledCipherSuites(), correct?
You can already set the list of cipher suites you want to use via
https.cipherSuites for outgoing requests, would it be sufficient to add
support for this property to incoming requests (indications) as well?
[bugs:#2618] Need to add property to disable weak cipher suites for the
secure indication
Status: open
Created: Fri Feb 22, 2013 06:53 AM UTC by Samuel
Last Updated: Mon Feb 25, 2013 06:25 AM UTC
Owner: Dave Blaschke
The sblim client uses the cipher suites provided by the JRE during ssl
connection such as secure indication with cimom,but it may contains some
weak cipher suites, which should be disabled. So it needs to add a property
for the weak cipher suites defined by users, then users can disable them.
Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/sblim/bugs/2618/
To unsubscribe from further messages, please visit
https://sourceforge.net/auth/prefs/
Related
Bugs:
#2618Two questions:
1) Would you prefer to start with the supported cipher suites or enabled cipher suites? I would think the latter since that is what the JRE has enabled by default, while using the former would add quite a few more (on my Java 5 system, there are 18 enabled suites but 36 supported).
2) Would you want the property read and cipher suites set every time a socket is initialized, or is once per WBEMClient acceptable?
1) I agree with you that we should prefer to the enabled cipher suites,
which is more meaningful to us.
2)I'm not sure whether the latter could work or not, since there's no
actual connection when we get a WBEMClient, no socket is created on that
time. And in the current sblim code, it uses the former for the outgoing
request, would it be ok for the ingoing request(secure indication) to use
the former?
With regard to #2, it would be more of a lazy initialization in that the property would be read in once and the desired cipher suites determined once per WBEMClient, probably during the first HttpClient initialization. In the other case, the property would be read and suites determined every time HttpClient.resetSocket is called for a new connection, which could be multiple times per HttpClient.
The way you should look at answering the questions is, are the enabled cipher suites always going to be the same for every connection in a WBEMClient instance or not? I would think they should be.
Something you said in answering #2 and the title of the bug lead me to another question:
3) Is this logic just for incoming secure indications, or should the cipher suites be set for outgoing secure requests too?
Chatted with Samuel, the answer to #2 is once and the answer to #3 is both
The proposed patch is attached. It determines the set of enabled cipher suites once per client (HttpClientPool) and once per listener (HttpServerConnection). The new property is sblim.wbem.sslCipherSuitesToDisable.
Any comments on the proposed patch? Code cutoff for next release is this Friday, March 8...
Sorry for the late response, as i have to take some time to test. The
proposed patch works well.
Patch sent for community review. During a 2 week period any exploiter may comment on the patch, request changes or turn it down completely (with good reason). For the time being the patch is part of the "Experimental" branch in CVS.
Please note that, due to the upcoming release on March 15, comments must be received by March 14.
Also, please note that the patch includes some tracing.
The community review is completed and we received no substantial criticism. Therefore the patch has been approved and merged into the "HEAD" branch. The next release will pick it up.
I will be out of the office starting 03/13/2013 and will not return until
03/18/2013.
During this time I will not have access to email. In the case of any urgent
issues please contact my back up David Heller.
The patch was picked up by release 2.2.2 and will be closed.
I am out of the office until 03/18/2013.
For CME-CIM technical issues contact Sameer Shaikh
Or contact my manager: (backup Jim Green )
I will not have access to Notes during my absence
Note: This is an automated response to your message "[sblim:bugs] #2618
Need to add property to disable weak cipher suites for the secure
indication" sent on 03/15/2013 10:01:38.
This is the only notification you will receive while this person is away.