Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
|
From: Fábio M. <fab...@gm...> - 2011-01-12 12:53:33
|
This also interest me, but it seems that Simple does not gives you
access to the SSLEngine.
Example:
...
Connection connection = new SocketConnection(container);
connection.connect(address, sslContext);
...
Following the trail of the sslContext we get:
org.simpleframework.transport.connect.*
SocketConnection -> ListenerManager -> Listener -> Acceptor
where we have:
private void process(SocketChannel channel) throws IOException {
SSLEngine engine = context.createSSLEngine();
try {
process(channel, engine);
} catch(Exception e) {
channel.close();
}
}
this will then follow on and set the engine in the Socket used.
So, I don't see any easy way to get access to the SSLEngine created to
call the setEnabledCipherSuites method.
2011/1/12 Bruno Harbulot <br...@di...>
>
> Hi,
>
> I think the problem is that configuring the cipher suites is done via
> the SSLEngine, not via the SSLContext:
> http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
>
> One would need to be able to get hold of the SSLEngine instance to
> configure this.
>
> Best wishes,
>
> Bruno.
>
>
> On 12/01/2011 08:29, Niall Gallagher wrote:
> > Hi,
> >
> > You should be in complete control of SSL. All you need to do is create
> > an SSLContext and pass it to the connection. It will create an SSLEngine
> > per connection.
> >
> > There is nothing you need to do in Simple.
> >
> > Niall
> >
> > --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/* wrote:
> >
> >
> > From: Andrew Barlow <and...@sd...>
> > Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support
> > To: "Simple support and user issues"
> > <sim...@li...>
> > Received: Monday, 10 January, 2011, 8:07 AM
> >
> > We have just received the results of a security audit on a system
> > that we developed which uses Simple 4.1.21 to deliver content over SSL.
> >
> > The finding was:
> >
> > "Three weak SSL ciphers were noted as being supported by the web
> > server. These ciphers all used a symmetric key length of 56 bits or
> > less and are considered unsuitable for use by a financial services
> > application.
> > OpenSSL name: EXP-DES-CBC-SHA
> > Detailed information: Key Exchange: RSA(512); Authentication: RSA;
> > Encryption: DES(40); MAC: SHA1
> > OpenSSL name: EXP-RC4-MD5
> > Detailed information: Key Exchange: RSA(512); Authentication: RSA;
> > Encryption: RC4(40); MAC: MD5
> > OpenSSL name: DES-CBC-SHA
> > Detailed information: Key Exchange: RSA; Authentication: "
> >
> > and the recommendation was that the server be configured to remove
> > these weak ciphers.
> >
> > Is this something we do in Simple, or do we make changes in the Java
> > keystore?
> >
> > Does anyone have any experience of this?
> >
> > Andy Barlow
> >
> >
> > /
> > /
> > /
> > /
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > ------------------------------------------------------------------------------
> > Gaining the trust of online customers is vital for the success of
> > any company
> > that requires sensitive data to be transmitted over the Web. Learn
> > how to
> > best implement a security strategy that keeps consumers' information
> > secure
> > and instills the confidence they need to proceed with transactions.
> > http://p.sf.net/sfu/oracle-sfdevnl
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > </mc/compose?to=Sim...@li...>
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid them. Understand
> > malware threats, the impact they can have on your business, and how you
> > can protect your company and customers by using code signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> >
> >
> >
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
|
