Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
|
From: Niall G. <gal...@ya...> - 2011-01-13 10:09:59
|
Hi,
Yes, this is the way you should intercept the connections.
Regards,
Niall
--- On Wed, 12/1/11, Brad McEvoy <br...@br...> wrote:
> From: Brad McEvoy <br...@br...>
> Subject: Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
> To: sim...@li...
> Received: Wednesday, 12 January, 2011, 12:39 PM
> Hi Guys,
>
> Attached is some code from the Berry project which might
> help. And some snippets from the attached source file. Note
> the SecureProcessor class which is an implementation of
> Server. I got most of this code from somewhere, can't
> remember where.
>
> ----------------
>
> protected SocketConnection initHttps( int
> port ) {
> SSLServerSocketFactory fac =
> (SSLServerSocketFactory)
> SSLServerSocketFactory.getDefault();
>
> log.info( "initHttps: port: " +
> port + " sslProtocol: " + sslProtocol + "
> keystoreAlgorithm:" + keystoreAlgorithm );
> try {
> KeyStore keystore
> = KeyStore.getInstance( keystoreType );
> keystore.load(
> new FileInputStream( keystoreFile ),
> keystorePassword.toCharArray() );
> log.info(
> "listing aliases defined in keystore" );
>
> Enumeration<String> aliases = keystore.aliases();
> while(
> aliases.hasMoreElements() ) {
>
> String a = aliases.nextElement();
>
> log.info( " - alias: " + a );
>
> Certificate cert = keystore.getCertificate( a );
>
> log.info(" - cert type: " +
> cert.getType());
>
> log.info(" - algorithm: " +
> cert.getPublicKey().getAlgorithm() );
>
> log.info(" - format: " +
> cert.getPublicKey().getFormat() );
> }
>
>
> KeyManagerFactory
> kmf = KeyManagerFactory.getInstance( keystoreAlgorithm );
> kmf.init(
> keystore, keystorePassword.toCharArray() );
>
> X509TrustManager
> trustManager = new AnonymousTrustManager();
>
> X509TrustManager[] trustManagers = new
> X509TrustManager[]{trustManager};
>
> SSLContext sslc =
> SSLContext.getInstance( sslProtocol ); // An SSLContext is
> an environment for implementing JSSE. It is used to create a
> ServerSocketFactory
> sslc.init(
> kmf.getKeyManagers(), trustManagers, null );
>
>
> ContainerServer
> processor = new ContainerServer(this, 25);
>
> org.simpleframework.transport.Server secure = new
> SecureProcessor(processor, sslc);
> SocketConnection
> ssl = new SocketConnection(secure);
> InetSocketAddress
> address = new InetSocketAddress( port );
> ssl.connect(
> address, sslc );
>
> ------------------------------------------------------
>
>
> private static class SecureProcessor
> implements org.simpleframework.transport.Server {
>
> private ContainerServer
> processor;
> private SSLContext context;
>
> public SecureProcessor(
> ContainerServer processor, SSLContext context ) {
> this.processor =
> processor;
> this.context =
> context;
> }
>
> public void process( Socket
> pipeline ) throws IOException {
> final
> SocketChannel channel = pipeline.getChannel();
> final Map map =
> new HashMap();
> Socket secure =
> new Socket() {
>
>
> private SSLEngine engine;
>
>
> public Map getAttributes() {
>
> return map;
> }
>
>
> public SocketChannel getChannel() {
>
> return channel;
> }
>
>
> public SSLEngine getEngine() {
>
> if( engine == null ) {
>
> engine =
> context.createSSLEngine();
>
> }
>
> return engine;
> }
> };
>
> processor.process( secure );
> }
>
> public void stop() {
> }
> }
> }
>
>
> On 13/01/11 01:50, Fábio Matos wrote:
> > This also interest me, but it seems that Simple does
> not gives you
> > access to the SSLEngine.
> >
> > Example:
> > ...
> > Connection connection = new
> SocketConnection(container);
> > connection.connect(address, sslContext);
> > ...
> >
> > Following the trail of the sslContext we get:
> > org.simpleframework.transport.connect.*
> >
> > SocketConnection -> ListenerManager
> -> Listener -> Acceptor
> >
> > where we have:
> >
> > private void process(SocketChannel channel) throws
> IOException {
> > SSLEngine engine =
> context.createSSLEngine();
> >
> > try {
> > process(channel,
> engine);
> > } catch(Exception e) {
> > channel.close();
> > }
> > }
> >
> > this will then follow on and set the engine in the
> Socket used.
> >
> > So, I don't see any easy way to get access to the
> SSLEngine created to
> > call the setEnabledCipherSuites method.
> >
> >
> >
> > 2011/1/12 Bruno Harbulot<br...@di...>
> >> Hi,
> >>
> >> I think the problem is that configuring the cipher
> suites is done via
> >> the SSLEngine, not via the SSLContext:
> >> http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
> >>
> >> One would need to be able to get hold of the
> SSLEngine instance to
> >> configure this.
> >>
> >> Best wishes,
> >>
> >> Bruno.
> >>
> >>
> >> On 12/01/2011 08:29, Niall Gallagher wrote:
> >>> Hi,
> >>>
> >>> You should be in complete control of SSL. All
> you need to do is create
> >>> an SSLContext and pass it to the connection.
> It will create an SSLEngine
> >>> per connection.
> >>>
> >>> There is nothing you need to do in Simple.
> >>>
> >>> Niall
> >>>
> >>> --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/*
> wrote:
> >>>
> >>>
> >>> From: Andrew Barlow<and...@sd...>
> >>> Subject:
> [Simpleweb-Support] Removing weaker ciphers from SSL
> support
> >>> To: "Simple support and
> user issues"
> >>> <sim...@li...>
> >>> Received: Monday, 10
> January, 2011, 8:07 AM
> >>>
> >>> We have just received the
> results of a security audit on a system
> >>> that we developed which
> uses Simple 4.1.21 to deliver content over SSL.
> >>>
> >>> The finding was:
> >>>
> >>> "Three weak SSL ciphers
> were noted as being supported by the web
> >>> server. These ciphers all
> used a symmetric key length of 56 bits or
> >>> less and are considered
> unsuitable for use by a financial services
> >>> application.
> >>> OpenSSL name:
> EXP-DES-CBC-SHA
> >>> Detailed information: Key
> Exchange: RSA(512); Authentication: RSA;
> >>> Encryption: DES(40); MAC:
> SHA1
> >>> OpenSSL name: EXP-RC4-MD5
> >>> Detailed information: Key
> Exchange: RSA(512); Authentication: RSA;
> >>> Encryption: RC4(40); MAC:
> MD5
> >>> OpenSSL name: DES-CBC-SHA
> >>> Detailed information: Key
> Exchange: RSA; Authentication: "
> >>>
> >>> and the recommendation was
> that the server be configured to remove
> >>> these weak ciphers.
> >>>
> >>> Is this something we do in
> Simple, or do we make changes in the Java
> >>> keystore?
> >>>
> >>> Does anyone have any
> experience of this?
> >>>
> >>> Andy Barlow
> >>>
> >>>
> >>> /
> >>> /
> >>> /
> >>> /
> >>>
> >>>
> >>>
> >>>
> >>> -----Inline Attachment
> Follows-----
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Gaining the trust of
> online customers is vital for the success of
> >>> any company
> >>> that requires sensitive
> data to be transmitted over the Web. Learn
> >>> how to
> >>> best implement a security
> strategy that keeps consumers' information
> >>> secure
> >>> and instills the
> confidence they need to proceed with transactions.
> >>> http://p.sf.net/sfu/oracle-sfdevnl
> >>>
> >>> -----Inline Attachment
> Follows-----
> >>>
> >>>
> _______________________________________________
> >>> Simpleweb-Support mailing
> list
> >>> Sim...@li...
> >>> </mc/compose?to=Sim...@li...>
> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >>>
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Protect Your Site and Customers from Malware
> Attacks
> >>> Learn about various malware tactics and how to
> avoid them. Understand
> >>> malware threats, the impact they can have on
> your business, and how you
> >>> can protect your company and customers by
> using code signing.
> >>> http://p.sf.net/sfu/oracle-sfdevnl
> >>>
> >>>
> >>>
> >>>
> _______________________________________________
> >>> Simpleweb-Support mailing list
> >>> Sim...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >>
> ------------------------------------------------------------------------------
> >> Protect Your Site and Customers from Malware
> Attacks
> >> Learn about various malware tactics and how to
> avoid them. Understand
> >> malware threats, the impact they can have on your
> business, and how you
> >> can protect your company and customers by using
> code signing.
> >> http://p.sf.net/sfu/oracle-sfdevnl
> >> _______________________________________________
> >> Simpleweb-Support mailing list
> >> Sim...@li...
> >> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
> ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid
> them. Understand
> > malware threats, the impact they can have on your
> business, and how you
> > can protect your company and customers by using code
> signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
> -----Inline Attachment Follows-----
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them.
> Understand
> malware threats, the impact they can have on your business,
> and how you
> can protect your company and customers by using code
> signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> -----Inline Attachment Follows-----
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
