Re: [Simpleweb-Support] Removing weaker ciphers from SSL support

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I think the problem is that configuring the cipher suites is done via 
the SSLEngine, not via the SSLContext:
http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29

One would need to be able to get hold of the SSLEngine instance to 
configure this.

Best wishes,

Bruno.

On 12/01/2011 08:29, Niall Gallagher wrote:
> Hi,
>
> You should be in complete control of SSL. All you need to do is create
> an SSLContext and pass it to the connection. It will create an SSLEngine
> per connection.
>
> There is nothing you need to do in Simple.
>
> Niall
>
> --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/* wrote:
>
>
>     From: Andrew Barlow <and...@sd...>
>     Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support
>     To: "Simple support and user issues"
>     <sim...@li...>
>     Received: Monday, 10 January, 2011, 8:07 AM
>
>     We have just received the results of a security audit on a system
>     that we developed which uses Simple 4.1.21 to deliver content over SSL.
>
>     The finding was:
>
>     "Three weak SSL ciphers were noted as being supported by the web
>     server. These ciphers all used a symmetric key length of 56 bits or
>     less and are considered unsuitable for use by a financial services
>     application.
>     OpenSSL name: EXP-DES-CBC-SHA
>     Detailed information: Key Exchange: RSA(512); Authentication: RSA;
>     Encryption: DES(40); MAC: SHA1
>     OpenSSL name: EXP-RC4-MD5
>     Detailed information: Key Exchange: RSA(512); Authentication: RSA;
>     Encryption: RC4(40); MAC: MD5
>     OpenSSL name: DES-CBC-SHA
>     Detailed information: Key Exchange: RSA; Authentication: "
>
>     and the recommendation was that the server be configured to remove
>     these weak ciphers.
>
>     Is this something we do in Simple, or do we make changes in the Java
>     keystore?
>
>     Does anyone have any experience of this?
>
>     Andy Barlow
>
>
>     /
>     /
>     /
>     /
>
>
>
>
>     -----Inline Attachment Follows-----
>
>     ------------------------------------------------------------------------------
>     Gaining the trust of online customers is vital for the success of
>     any company
>     that requires sensitive data to be transmitted over the Web. Learn
>     how to
>     best implement a security strategy that keeps consumers' information
>     secure
>     and instills the confidence they need to proceed with transactions.
>     http://p.sf.net/sfu/oracle-sfdevnl
>
>     -----Inline Attachment Follows-----
>
>     _______________________________________________
>     Simpleweb-Support mailing list
>     Sim...@li...
>     </mc/compose?to=Sim...@li...>
>     https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
>
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
>
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support