Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
|
From: Niall G. <gal...@ya...> - 2011-01-13 10:07:12
|
Hi,
Yes, you do have access to it. Take a look at the org.simpleframework.transport.Server interface. Notice how it accepts the org.simpleframework.transport.Socket. There is a Socket.getEngine method. Here is where you do what you want.
Niall
--- On Wed, 12/1/11, Fábio Matos <fab...@gm...> wrote:
> From: Fábio Matos <fab...@gm...>
> Subject: Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
> To: "Simple support and user issues" <sim...@li...>
> Received: Wednesday, 12 January, 2011, 4:50 AM
> This also interest me, but it seems
> that Simple does not gives you
> access to the SSLEngine.
>
> Example:
> ...
> Connection connection = new SocketConnection(container);
> connection.connect(address, sslContext);
> ...
>
> Following the trail of the sslContext we get:
> org.simpleframework.transport.connect.*
>
> SocketConnection -> ListenerManager -> Listener ->
> Acceptor
>
> where we have:
>
> private void process(SocketChannel channel) throws
> IOException {
> SSLEngine engine = context.createSSLEngine();
>
> try {
> process(channel, engine);
> } catch(Exception e) {
> channel.close();
> }
> }
>
> this will then follow on and set the engine in the Socket
> used.
>
> So, I don't see any easy way to get access to the SSLEngine
> created to
> call the setEnabledCipherSuites method.
>
>
>
> 2011/1/12 Bruno Harbulot <br...@di...>
> >
> > Hi,
> >
> > I think the problem is that configuring the cipher
> suites is done via
> > the SSLEngine, not via the SSLContext:
> > http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
> >
> > One would need to be able to get hold of the SSLEngine
> instance to
> > configure this.
> >
> > Best wishes,
> >
> > Bruno.
> >
> >
> > On 12/01/2011 08:29, Niall Gallagher wrote:
> > > Hi,
> > >
> > > You should be in complete control of SSL. All you
> need to do is create
> > > an SSLContext and pass it to the connection. It
> will create an SSLEngine
> > > per connection.
> > >
> > > There is nothing you need to do in Simple.
> > >
> > > Niall
> > >
> > > --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/*
> wrote:
> > >
> > >
> > > From: Andrew Barlow <and...@sd...>
> > > Subject: [Simpleweb-Support] Removing
> weaker ciphers from SSL support
> > > To: "Simple support and user issues"
> > > <sim...@li...>
> > > Received: Monday, 10 January, 2011, 8:07
> AM
> > >
> > > We have just received the results of a
> security audit on a system
> > > that we developed which uses Simple 4.1.21
> to deliver content over SSL.
> > >
> > > The finding was:
> > >
> > > "Three weak SSL ciphers were noted as being
> supported by the web
> > > server. These ciphers all used a symmetric
> key length of 56 bits or
> > > less and are considered unsuitable for use
> by a financial services
> > > application.
> > > OpenSSL name: EXP-DES-CBC-SHA
> > > Detailed information: Key Exchange:
> RSA(512); Authentication: RSA;
> > > Encryption: DES(40); MAC: SHA1
> > > OpenSSL name: EXP-RC4-MD5
> > > Detailed information: Key Exchange:
> RSA(512); Authentication: RSA;
> > > Encryption: RC4(40); MAC: MD5
> > > OpenSSL name: DES-CBC-SHA
> > > Detailed information: Key Exchange: RSA;
> Authentication: "
> > >
> > > and the recommendation was that the server
> be configured to remove
> > > these weak ciphers.
> > >
> > > Is this something we do in Simple, or do we
> make changes in the Java
> > > keystore?
> > >
> > > Does anyone have any experience of this?
> > >
> > > Andy Barlow
> > >
> > >
> > > /
> > > /
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > -----Inline Attachment Follows-----
> > >
> > >
> ------------------------------------------------------------------------------
> > > Gaining the trust of online customers is
> vital for the success of
> > > any company
> > > that requires sensitive data to be
> transmitted over the Web. Learn
> > > how to
> > > best implement a security strategy that
> keeps consumers' information
> > > secure
> > > and instills the confidence they need to
> proceed with transactions.
> > > http://p.sf.net/sfu/oracle-sfdevnl
> > >
> > > -----Inline Attachment Follows-----
> > >
> > >
> _______________________________________________
> > > Simpleweb-Support mailing list
> > > Sim...@li...
> > > </mc/compose?to=Sim...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Protect Your Site and Customers from Malware
> Attacks
> > > Learn about various malware tactics and how to
> avoid them. Understand
> > > malware threats, the impact they can have on your
> business, and how you
> > > can protect your company and customers by using
> code signing.
> > > http://p.sf.net/sfu/oracle-sfdevnl
> > >
> > >
> > >
> > > _______________________________________________
> > > Simpleweb-Support mailing list
> > > Sim...@li...
> > > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
> >
> ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid
> them. Understand
> > malware threats, the impact they can have on your
> business, and how you
> > can protect your company and customers by using code
> signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them.
> Understand
> malware threats, the impact they can have on your business,
> and how you
> can protect your company and customers by using code
> signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
