Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
|
From: Brad M. <br...@br...> - 2011-01-12 20:56:35
|
Hi Guys,
Attached is some code from the Berry project which might help. And some
snippets from the attached source file. Note the SecureProcessor class
which is an implementation of Server. I got most of this code from
somewhere, can't remember where.
----------------
protected SocketConnection initHttps( int port ) {
SSLServerSocketFactory fac = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
log.info( "initHttps: port: " + port + " sslProtocol: " +
sslProtocol + " keystoreAlgorithm:" + keystoreAlgorithm );
try {
KeyStore keystore = KeyStore.getInstance( keystoreType );
keystore.load( new FileInputStream( keystoreFile ),
keystorePassword.toCharArray() );
log.info( "listing aliases defined in keystore" );
Enumeration<String> aliases = keystore.aliases();
while( aliases.hasMoreElements() ) {
String a = aliases.nextElement();
log.info( " - alias: " + a );
Certificate cert = keystore.getCertificate( a );
log.info(" - cert type: " + cert.getType());
log.info(" - algorithm: " +
cert.getPublicKey().getAlgorithm() );
log.info(" - format: " +
cert.getPublicKey().getFormat() );
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
keystoreAlgorithm );
kmf.init( keystore, keystorePassword.toCharArray() );
X509TrustManager trustManager = new AnonymousTrustManager();
X509TrustManager[] trustManagers = new
X509TrustManager[]{trustManager};
SSLContext sslc = SSLContext.getInstance( sslProtocol ); //
An SSLContext is an environment for implementing JSSE. It is used to
create a ServerSocketFactory
sslc.init( kmf.getKeyManagers(), trustManagers, null );
ContainerServer processor = new ContainerServer(this, 25);
org.simpleframework.transport.Server secure = new
SecureProcessor(processor, sslc);
SocketConnection ssl = new SocketConnection(secure);
InetSocketAddress address = new InetSocketAddress( port );
ssl.connect( address, sslc );
------------------------------------------------------
private static class SecureProcessor implements
org.simpleframework.transport.Server {
private ContainerServer processor;
private SSLContext context;
public SecureProcessor( ContainerServer processor, SSLContext
context ) {
this.processor = processor;
this.context = context;
}
public void process( Socket pipeline ) throws IOException {
final SocketChannel channel = pipeline.getChannel();
final Map map = new HashMap();
Socket secure = new Socket() {
private SSLEngine engine;
public Map getAttributes() {
return map;
}
public SocketChannel getChannel() {
return channel;
}
public SSLEngine getEngine() {
if( engine == null ) {
engine = context.createSSLEngine();
}
return engine;
}
};
processor.process( secure );
}
public void stop() {
}
}
}
On 13/01/11 01:50, Fábio Matos wrote:
> This also interest me, but it seems that Simple does not gives you
> access to the SSLEngine.
>
> Example:
> ...
> Connection connection = new SocketConnection(container);
> connection.connect(address, sslContext);
> ...
>
> Following the trail of the sslContext we get:
> org.simpleframework.transport.connect.*
>
> SocketConnection -> ListenerManager -> Listener -> Acceptor
>
> where we have:
>
> private void process(SocketChannel channel) throws IOException {
> SSLEngine engine = context.createSSLEngine();
>
> try {
> process(channel, engine);
> } catch(Exception e) {
> channel.close();
> }
> }
>
> this will then follow on and set the engine in the Socket used.
>
> So, I don't see any easy way to get access to the SSLEngine created to
> call the setEnabledCipherSuites method.
>
>
>
> 2011/1/12 Bruno Harbulot<br...@di...>
>> Hi,
>>
>> I think the problem is that configuring the cipher suites is done via
>> the SSLEngine, not via the SSLContext:
>> http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
>>
>> One would need to be able to get hold of the SSLEngine instance to
>> configure this.
>>
>> Best wishes,
>>
>> Bruno.
>>
>>
>> On 12/01/2011 08:29, Niall Gallagher wrote:
>>> Hi,
>>>
>>> You should be in complete control of SSL. All you need to do is create
>>> an SSLContext and pass it to the connection. It will create an SSLEngine
>>> per connection.
>>>
>>> There is nothing you need to do in Simple.
>>>
>>> Niall
>>>
>>> --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/* wrote:
>>>
>>>
>>> From: Andrew Barlow<and...@sd...>
>>> Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support
>>> To: "Simple support and user issues"
>>> <sim...@li...>
>>> Received: Monday, 10 January, 2011, 8:07 AM
>>>
>>> We have just received the results of a security audit on a system
>>> that we developed which uses Simple 4.1.21 to deliver content over SSL.
>>>
>>> The finding was:
>>>
>>> "Three weak SSL ciphers were noted as being supported by the web
>>> server. These ciphers all used a symmetric key length of 56 bits or
>>> less and are considered unsuitable for use by a financial services
>>> application.
>>> OpenSSL name: EXP-DES-CBC-SHA
>>> Detailed information: Key Exchange: RSA(512); Authentication: RSA;
>>> Encryption: DES(40); MAC: SHA1
>>> OpenSSL name: EXP-RC4-MD5
>>> Detailed information: Key Exchange: RSA(512); Authentication: RSA;
>>> Encryption: RC4(40); MAC: MD5
>>> OpenSSL name: DES-CBC-SHA
>>> Detailed information: Key Exchange: RSA; Authentication: "
>>>
>>> and the recommendation was that the server be configured to remove
>>> these weak ciphers.
>>>
>>> Is this something we do in Simple, or do we make changes in the Java
>>> keystore?
>>>
>>> Does anyone have any experience of this?
>>>
>>> Andy Barlow
>>>
>>>
>>> /
>>> /
>>> /
>>> /
>>>
>>>
>>>
>>>
>>> -----Inline Attachment Follows-----
>>>
>>> ------------------------------------------------------------------------------
>>> Gaining the trust of online customers is vital for the success of
>>> any company
>>> that requires sensitive data to be transmitted over the Web. Learn
>>> how to
>>> best implement a security strategy that keeps consumers' information
>>> secure
>>> and instills the confidence they need to proceed with transactions.
>>> http://p.sf.net/sfu/oracle-sfdevnl
>>>
>>> -----Inline Attachment Follows-----
>>>
>>> _______________________________________________
>>> Simpleweb-Support mailing list
>>> Sim...@li...
>>> </mc/compose?to=...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Protect Your Site and Customers from Malware Attacks
>>> Learn about various malware tactics and how to avoid them. Understand
>>> malware threats, the impact they can have on your business, and how you
>>> can protect your company and customers by using code signing.
>>> http://p.sf.net/sfu/oracle-sfdevnl
>>>
>>>
>>>
>>> _______________________________________________
>>> Simpleweb-Support mailing list
>>> Sim...@li...
>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>> ------------------------------------------------------------------------------
>> Protect Your Site and Customers from Malware Attacks
>> Learn about various malware tactics and how to avoid them. Understand
>> malware threats, the impact they can have on your business, and how you
>> can protect your company and customers by using code signing.
>> http://p.sf.net/sfu/oracle-sfdevnl
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
|
