Thread: [Simpleweb-Support] Removing weaker ciphers from SSL support
Brought to you by:
niallg
Menu
▾
▴
simpleweb-support
|
From: Andrew B. <and...@sd...> - 2011-01-10 16:32:53
|
We have just received the results of a security audit on a system that we developed which uses Simple 4.1.21 to deliver content over SSL. The finding was: "Three weak SSL ciphers were noted as being supported by the web server. These ciphers all used a symmetric key length of 56 bits or less and are considered unsuitable for use by a financial services application. OpenSSL name: EXP-DES-CBC-SHA Detailed information: Key Exchange: RSA(512); Authentication: RSA; Encryption: DES(40); MAC: SHA1 OpenSSL name: EXP-RC4-MD5 Detailed information: Key Exchange: RSA(512); Authentication: RSA; Encryption: RC4(40); MAC: MD5 OpenSSL name: DES-CBC-SHA Detailed information: Key Exchange: RSA; Authentication: " and the recommendation was that the server be configured to remove these weak ciphers. Is this something we do in Simple, or do we make changes in the Java keystore? Does anyone have any experience of this? Andy Barlow |
|
From: Kai S. <sch...@gm...> - 2011-01-11 07:20:59
|
Hey Andy, I'm not very experienced with Java's cryptography, all I know is that is a den of wizards that hide a maze. As far as I understand, the audit complains that you are too permitant in how you allows clients their access. Depending on what sort of business you're in, you should either freak out or feel comforted. In the public domain, many people use "not so good" cryptography. MD5 hashes is a great example. It's hackable. Is there better? yes. is it really worth the trouble to upgrade? Well, in time, yes. Is the upgrade immune to hacks? Yes, for the time being... ... ... In the private / military domain, any infringement or security risk is worth mentionning. Anyway... in your app, run a full printout on the System class. uhm... use retrospection if you have to. It'll print out tons and tons of data. You'll find loads of stuff that would worry you if you were military hehe. but really, it's in your OpenSSL Library... have a look at www.openssl.orgfor further info :) -k (being my useless self) On Mon, Jan 10, 2011 at 5:07 PM, Andrew Barlow <and...@sd... > wrote: > We have just received the results of a security audit on a system that we > developed which uses Simple 4.1.21 to deliver content over SSL. > > The finding was: > > "Three weak SSL ciphers were noted as being supported by the web server. > These ciphers all used a symmetric key length of 56 bits or less and are > considered unsuitable for use by a financial services application. > OpenSSL name: EXP-DES-CBC-SHA > Detailed information: Key Exchange: RSA(512); Authentication: RSA; > Encryption: DES(40); MAC: SHA1 > OpenSSL name: EXP-RC4-MD5 > Detailed information: Key Exchange: RSA(512); Authentication: RSA; > Encryption: RC4(40); MAC: MD5 > OpenSSL name: DES-CBC-SHA > Detailed information: Key Exchange: RSA; Authentication: " > > and the recommendation was that the server be configured to remove these > weak ciphers. > > Is this something we do in Simple, or do we make changes in the Java > keystore? > > Does anyone have any experience of this? > > Andy Barlow > > > * > > * > > > > > > ------------------------------------------------------------------------------ > Gaining the trust of online customers is vital for the success of any > company > that requires sensitive data to be transmitted over the Web. Learn how to > best implement a security strategy that keeps consumers' information secure > and instills the confidence they need to proceed with transactions. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > |
|
From: Niall G. <gal...@ya...> - 2011-01-12 08:29:46
|
Hi, You should be in complete control of SSL. All you need to do is create an SSLContext and pass it to the connection. It will create an SSLEngine per connection. There is nothing you need to do in Simple. Niall --- On Mon, 10/1/11, Andrew Barlow <and...@sd...> wrote: From: Andrew Barlow <and...@sd...> Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support To: "Simple support and user issues" <sim...@li...> Received: Monday, 10 January, 2011, 8:07 AM We have just received the results of a security audit on a system that we developed which uses Simple 4.1.21 to deliver content over SSL. The finding was: "Three weak SSL ciphers were noted as being supported by the web server. These ciphers all used a symmetric key length of 56 bits or less and are considered unsuitable for use by a financial services application. OpenSSL name: EXP-DES-CBC-SHA Detailed information: Key Exchange: RSA(512); Authentication: RSA; Encryption: DES(40); MAC: SHA1 OpenSSL name: EXP-RC4-MD5 Detailed information: Key Exchange: RSA(512); Authentication: RSA; Encryption: RC4(40); MAC: MD5 OpenSSL name: DES-CBC-SHA Detailed information: Key Exchange: RSA; Authentication: " and the recommendation was that the server be configured to remove these weak ciphers. Is this something we do in Simple, or do we make changes in the Java keystore? Does anyone have any experience of this? Andy Barlow -----Inline Attachment Follows----- ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support |
|
From: Bruno H. <br...@di...> - 2011-01-12 12:09:11
|
Hi, I think the problem is that configuring the cipher suites is done via the SSLEngine, not via the SSLContext: http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29 One would need to be able to get hold of the SSLEngine instance to configure this. Best wishes, Bruno. On 12/01/2011 08:29, Niall Gallagher wrote: > Hi, > > You should be in complete control of SSL. All you need to do is create > an SSLContext and pass it to the connection. It will create an SSLEngine > per connection. > > There is nothing you need to do in Simple. > > Niall > > --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/* wrote: > > > From: Andrew Barlow <and...@sd...> > Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support > To: "Simple support and user issues" > <sim...@li...> > Received: Monday, 10 January, 2011, 8:07 AM > > We have just received the results of a security audit on a system > that we developed which uses Simple 4.1.21 to deliver content over SSL. > > The finding was: > > "Three weak SSL ciphers were noted as being supported by the web > server. These ciphers all used a symmetric key length of 56 bits or > less and are considered unsuitable for use by a financial services > application. > OpenSSL name: EXP-DES-CBC-SHA > Detailed information: Key Exchange: RSA(512); Authentication: RSA; > Encryption: DES(40); MAC: SHA1 > OpenSSL name: EXP-RC4-MD5 > Detailed information: Key Exchange: RSA(512); Authentication: RSA; > Encryption: RC4(40); MAC: MD5 > OpenSSL name: DES-CBC-SHA > Detailed information: Key Exchange: RSA; Authentication: " > > and the recommendation was that the server be configured to remove > these weak ciphers. > > Is this something we do in Simple, or do we make changes in the Java > keystore? > > Does anyone have any experience of this? > > Andy Barlow > > > / > / > / > / > > > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > Gaining the trust of online customers is vital for the success of > any company > that requires sensitive data to be transmitted over the Web. Learn > how to > best implement a security strategy that keeps consumers' information > secure > and instills the confidence they need to proceed with transactions. > http://p.sf.net/sfu/oracle-sfdevnl > > -----Inline Attachment Follows----- > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > </mc/compose?to=Sim...@li...> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > > > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support |
|
From: Fábio M. <fab...@gm...> - 2011-01-12 12:53:33
|
This also interest me, but it seems that Simple does not gives you
access to the SSLEngine.
Example:
...
Connection connection = new SocketConnection(container);
connection.connect(address, sslContext);
...
Following the trail of the sslContext we get:
org.simpleframework.transport.connect.*
SocketConnection -> ListenerManager -> Listener -> Acceptor
where we have:
private void process(SocketChannel channel) throws IOException {
SSLEngine engine = context.createSSLEngine();
try {
process(channel, engine);
} catch(Exception e) {
channel.close();
}
}
this will then follow on and set the engine in the Socket used.
So, I don't see any easy way to get access to the SSLEngine created to
call the setEnabledCipherSuites method.
2011/1/12 Bruno Harbulot <br...@di...>
>
> Hi,
>
> I think the problem is that configuring the cipher suites is done via
> the SSLEngine, not via the SSLContext:
> http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
>
> One would need to be able to get hold of the SSLEngine instance to
> configure this.
>
> Best wishes,
>
> Bruno.
>
>
> On 12/01/2011 08:29, Niall Gallagher wrote:
> > Hi,
> >
> > You should be in complete control of SSL. All you need to do is create
> > an SSLContext and pass it to the connection. It will create an SSLEngine
> > per connection.
> >
> > There is nothing you need to do in Simple.
> >
> > Niall
> >
> > --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/* wrote:
> >
> >
> > From: Andrew Barlow <and...@sd...>
> > Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support
> > To: "Simple support and user issues"
> > <sim...@li...>
> > Received: Monday, 10 January, 2011, 8:07 AM
> >
> > We have just received the results of a security audit on a system
> > that we developed which uses Simple 4.1.21 to deliver content over SSL.
> >
> > The finding was:
> >
> > "Three weak SSL ciphers were noted as being supported by the web
> > server. These ciphers all used a symmetric key length of 56 bits or
> > less and are considered unsuitable for use by a financial services
> > application.
> > OpenSSL name: EXP-DES-CBC-SHA
> > Detailed information: Key Exchange: RSA(512); Authentication: RSA;
> > Encryption: DES(40); MAC: SHA1
> > OpenSSL name: EXP-RC4-MD5
> > Detailed information: Key Exchange: RSA(512); Authentication: RSA;
> > Encryption: RC4(40); MAC: MD5
> > OpenSSL name: DES-CBC-SHA
> > Detailed information: Key Exchange: RSA; Authentication: "
> >
> > and the recommendation was that the server be configured to remove
> > these weak ciphers.
> >
> > Is this something we do in Simple, or do we make changes in the Java
> > keystore?
> >
> > Does anyone have any experience of this?
> >
> > Andy Barlow
> >
> >
> > /
> > /
> > /
> > /
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > ------------------------------------------------------------------------------
> > Gaining the trust of online customers is vital for the success of
> > any company
> > that requires sensitive data to be transmitted over the Web. Learn
> > how to
> > best implement a security strategy that keeps consumers' information
> > secure
> > and instills the confidence they need to proceed with transactions.
> > http://p.sf.net/sfu/oracle-sfdevnl
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > </mc/compose?to=Sim...@li...>
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid them. Understand
> > malware threats, the impact they can have on your business, and how you
> > can protect your company and customers by using code signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> >
> >
> >
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
|
|
From: Brad M. <br...@br...> - 2011-01-12 20:56:35
Attachments:
SslSimpletonServer.java
|
Hi Guys,
Attached is some code from the Berry project which might help. And some
snippets from the attached source file. Note the SecureProcessor class
which is an implementation of Server. I got most of this code from
somewhere, can't remember where.
----------------
protected SocketConnection initHttps( int port ) {
SSLServerSocketFactory fac = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
log.info( "initHttps: port: " + port + " sslProtocol: " +
sslProtocol + " keystoreAlgorithm:" + keystoreAlgorithm );
try {
KeyStore keystore = KeyStore.getInstance( keystoreType );
keystore.load( new FileInputStream( keystoreFile ),
keystorePassword.toCharArray() );
log.info( "listing aliases defined in keystore" );
Enumeration<String> aliases = keystore.aliases();
while( aliases.hasMoreElements() ) {
String a = aliases.nextElement();
log.info( " - alias: " + a );
Certificate cert = keystore.getCertificate( a );
log.info(" - cert type: " + cert.getType());
log.info(" - algorithm: " +
cert.getPublicKey().getAlgorithm() );
log.info(" - format: " +
cert.getPublicKey().getFormat() );
}
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
keystoreAlgorithm );
kmf.init( keystore, keystorePassword.toCharArray() );
X509TrustManager trustManager = new AnonymousTrustManager();
X509TrustManager[] trustManagers = new
X509TrustManager[]{trustManager};
SSLContext sslc = SSLContext.getInstance( sslProtocol ); //
An SSLContext is an environment for implementing JSSE. It is used to
create a ServerSocketFactory
sslc.init( kmf.getKeyManagers(), trustManagers, null );
ContainerServer processor = new ContainerServer(this, 25);
org.simpleframework.transport.Server secure = new
SecureProcessor(processor, sslc);
SocketConnection ssl = new SocketConnection(secure);
InetSocketAddress address = new InetSocketAddress( port );
ssl.connect( address, sslc );
------------------------------------------------------
private static class SecureProcessor implements
org.simpleframework.transport.Server {
private ContainerServer processor;
private SSLContext context;
public SecureProcessor( ContainerServer processor, SSLContext
context ) {
this.processor = processor;
this.context = context;
}
public void process( Socket pipeline ) throws IOException {
final SocketChannel channel = pipeline.getChannel();
final Map map = new HashMap();
Socket secure = new Socket() {
private SSLEngine engine;
public Map getAttributes() {
return map;
}
public SocketChannel getChannel() {
return channel;
}
public SSLEngine getEngine() {
if( engine == null ) {
engine = context.createSSLEngine();
}
return engine;
}
};
processor.process( secure );
}
public void stop() {
}
}
}
On 13/01/11 01:50, Fábio Matos wrote:
> This also interest me, but it seems that Simple does not gives you
> access to the SSLEngine.
>
> Example:
> ...
> Connection connection = new SocketConnection(container);
> connection.connect(address, sslContext);
> ...
>
> Following the trail of the sslContext we get:
> org.simpleframework.transport.connect.*
>
> SocketConnection -> ListenerManager -> Listener -> Acceptor
>
> where we have:
>
> private void process(SocketChannel channel) throws IOException {
> SSLEngine engine = context.createSSLEngine();
>
> try {
> process(channel, engine);
> } catch(Exception e) {
> channel.close();
> }
> }
>
> this will then follow on and set the engine in the Socket used.
>
> So, I don't see any easy way to get access to the SSLEngine created to
> call the setEnabledCipherSuites method.
>
>
>
> 2011/1/12 Bruno Harbulot<br...@di...>
>> Hi,
>>
>> I think the problem is that configuring the cipher suites is done via
>> the SSLEngine, not via the SSLContext:
>> http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
>>
>> One would need to be able to get hold of the SSLEngine instance to
>> configure this.
>>
>> Best wishes,
>>
>> Bruno.
>>
>>
>> On 12/01/2011 08:29, Niall Gallagher wrote:
>>> Hi,
>>>
>>> You should be in complete control of SSL. All you need to do is create
>>> an SSLContext and pass it to the connection. It will create an SSLEngine
>>> per connection.
>>>
>>> There is nothing you need to do in Simple.
>>>
>>> Niall
>>>
>>> --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/* wrote:
>>>
>>>
>>> From: Andrew Barlow<and...@sd...>
>>> Subject: [Simpleweb-Support] Removing weaker ciphers from SSL support
>>> To: "Simple support and user issues"
>>> <sim...@li...>
>>> Received: Monday, 10 January, 2011, 8:07 AM
>>>
>>> We have just received the results of a security audit on a system
>>> that we developed which uses Simple 4.1.21 to deliver content over SSL.
>>>
>>> The finding was:
>>>
>>> "Three weak SSL ciphers were noted as being supported by the web
>>> server. These ciphers all used a symmetric key length of 56 bits or
>>> less and are considered unsuitable for use by a financial services
>>> application.
>>> OpenSSL name: EXP-DES-CBC-SHA
>>> Detailed information: Key Exchange: RSA(512); Authentication: RSA;
>>> Encryption: DES(40); MAC: SHA1
>>> OpenSSL name: EXP-RC4-MD5
>>> Detailed information: Key Exchange: RSA(512); Authentication: RSA;
>>> Encryption: RC4(40); MAC: MD5
>>> OpenSSL name: DES-CBC-SHA
>>> Detailed information: Key Exchange: RSA; Authentication: "
>>>
>>> and the recommendation was that the server be configured to remove
>>> these weak ciphers.
>>>
>>> Is this something we do in Simple, or do we make changes in the Java
>>> keystore?
>>>
>>> Does anyone have any experience of this?
>>>
>>> Andy Barlow
>>>
>>>
>>> /
>>> /
>>> /
>>> /
>>>
>>>
>>>
>>>
>>> -----Inline Attachment Follows-----
>>>
>>> ------------------------------------------------------------------------------
>>> Gaining the trust of online customers is vital for the success of
>>> any company
>>> that requires sensitive data to be transmitted over the Web. Learn
>>> how to
>>> best implement a security strategy that keeps consumers' information
>>> secure
>>> and instills the confidence they need to proceed with transactions.
>>> http://p.sf.net/sfu/oracle-sfdevnl
>>>
>>> -----Inline Attachment Follows-----
>>>
>>> _______________________________________________
>>> Simpleweb-Support mailing list
>>> Sim...@li...
>>> </mc/compose?to=Sim...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Protect Your Site and Customers from Malware Attacks
>>> Learn about various malware tactics and how to avoid them. Understand
>>> malware threats, the impact they can have on your business, and how you
>>> can protect your company and customers by using code signing.
>>> http://p.sf.net/sfu/oracle-sfdevnl
>>>
>>>
>>>
>>> _______________________________________________
>>> Simpleweb-Support mailing list
>>> Sim...@li...
>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>> ------------------------------------------------------------------------------
>> Protect Your Site and Customers from Malware Attacks
>> Learn about various malware tactics and how to avoid them. Understand
>> malware threats, the impact they can have on your business, and how you
>> can protect your company and customers by using code signing.
>> http://p.sf.net/sfu/oracle-sfdevnl
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand
> malware threats, the impact they can have on your business, and how you
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
|
|
From: Niall G. <gal...@ya...> - 2011-01-13 10:09:59
|
Hi,
Yes, this is the way you should intercept the connections.
Regards,
Niall
--- On Wed, 12/1/11, Brad McEvoy <br...@br...> wrote:
> From: Brad McEvoy <br...@br...>
> Subject: Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
> To: sim...@li...
> Received: Wednesday, 12 January, 2011, 12:39 PM
> Hi Guys,
>
> Attached is some code from the Berry project which might
> help. And some snippets from the attached source file. Note
> the SecureProcessor class which is an implementation of
> Server. I got most of this code from somewhere, can't
> remember where.
>
> ----------------
>
> protected SocketConnection initHttps( int
> port ) {
> SSLServerSocketFactory fac =
> (SSLServerSocketFactory)
> SSLServerSocketFactory.getDefault();
>
> log.info( "initHttps: port: " +
> port + " sslProtocol: " + sslProtocol + "
> keystoreAlgorithm:" + keystoreAlgorithm );
> try {
> KeyStore keystore
> = KeyStore.getInstance( keystoreType );
> keystore.load(
> new FileInputStream( keystoreFile ),
> keystorePassword.toCharArray() );
> log.info(
> "listing aliases defined in keystore" );
>
> Enumeration<String> aliases = keystore.aliases();
> while(
> aliases.hasMoreElements() ) {
>
> String a = aliases.nextElement();
>
> log.info( " - alias: " + a );
>
> Certificate cert = keystore.getCertificate( a );
>
> log.info(" - cert type: " +
> cert.getType());
>
> log.info(" - algorithm: " +
> cert.getPublicKey().getAlgorithm() );
>
> log.info(" - format: " +
> cert.getPublicKey().getFormat() );
> }
>
>
> KeyManagerFactory
> kmf = KeyManagerFactory.getInstance( keystoreAlgorithm );
> kmf.init(
> keystore, keystorePassword.toCharArray() );
>
> X509TrustManager
> trustManager = new AnonymousTrustManager();
>
> X509TrustManager[] trustManagers = new
> X509TrustManager[]{trustManager};
>
> SSLContext sslc =
> SSLContext.getInstance( sslProtocol ); // An SSLContext is
> an environment for implementing JSSE. It is used to create a
> ServerSocketFactory
> sslc.init(
> kmf.getKeyManagers(), trustManagers, null );
>
>
> ContainerServer
> processor = new ContainerServer(this, 25);
>
> org.simpleframework.transport.Server secure = new
> SecureProcessor(processor, sslc);
> SocketConnection
> ssl = new SocketConnection(secure);
> InetSocketAddress
> address = new InetSocketAddress( port );
> ssl.connect(
> address, sslc );
>
> ------------------------------------------------------
>
>
> private static class SecureProcessor
> implements org.simpleframework.transport.Server {
>
> private ContainerServer
> processor;
> private SSLContext context;
>
> public SecureProcessor(
> ContainerServer processor, SSLContext context ) {
> this.processor =
> processor;
> this.context =
> context;
> }
>
> public void process( Socket
> pipeline ) throws IOException {
> final
> SocketChannel channel = pipeline.getChannel();
> final Map map =
> new HashMap();
> Socket secure =
> new Socket() {
>
>
> private SSLEngine engine;
>
>
> public Map getAttributes() {
>
> return map;
> }
>
>
> public SocketChannel getChannel() {
>
> return channel;
> }
>
>
> public SSLEngine getEngine() {
>
> if( engine == null ) {
>
> engine =
> context.createSSLEngine();
>
> }
>
> return engine;
> }
> };
>
> processor.process( secure );
> }
>
> public void stop() {
> }
> }
> }
>
>
> On 13/01/11 01:50, Fábio Matos wrote:
> > This also interest me, but it seems that Simple does
> not gives you
> > access to the SSLEngine.
> >
> > Example:
> > ...
> > Connection connection = new
> SocketConnection(container);
> > connection.connect(address, sslContext);
> > ...
> >
> > Following the trail of the sslContext we get:
> > org.simpleframework.transport.connect.*
> >
> > SocketConnection -> ListenerManager
> -> Listener -> Acceptor
> >
> > where we have:
> >
> > private void process(SocketChannel channel) throws
> IOException {
> > SSLEngine engine =
> context.createSSLEngine();
> >
> > try {
> > process(channel,
> engine);
> > } catch(Exception e) {
> > channel.close();
> > }
> > }
> >
> > this will then follow on and set the engine in the
> Socket used.
> >
> > So, I don't see any easy way to get access to the
> SSLEngine created to
> > call the setEnabledCipherSuites method.
> >
> >
> >
> > 2011/1/12 Bruno Harbulot<br...@di...>
> >> Hi,
> >>
> >> I think the problem is that configuring the cipher
> suites is done via
> >> the SSLEngine, not via the SSLContext:
> >> http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
> >>
> >> One would need to be able to get hold of the
> SSLEngine instance to
> >> configure this.
> >>
> >> Best wishes,
> >>
> >> Bruno.
> >>
> >>
> >> On 12/01/2011 08:29, Niall Gallagher wrote:
> >>> Hi,
> >>>
> >>> You should be in complete control of SSL. All
> you need to do is create
> >>> an SSLContext and pass it to the connection.
> It will create an SSLEngine
> >>> per connection.
> >>>
> >>> There is nothing you need to do in Simple.
> >>>
> >>> Niall
> >>>
> >>> --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/*
> wrote:
> >>>
> >>>
> >>> From: Andrew Barlow<and...@sd...>
> >>> Subject:
> [Simpleweb-Support] Removing weaker ciphers from SSL
> support
> >>> To: "Simple support and
> user issues"
> >>> <sim...@li...>
> >>> Received: Monday, 10
> January, 2011, 8:07 AM
> >>>
> >>> We have just received the
> results of a security audit on a system
> >>> that we developed which
> uses Simple 4.1.21 to deliver content over SSL.
> >>>
> >>> The finding was:
> >>>
> >>> "Three weak SSL ciphers
> were noted as being supported by the web
> >>> server. These ciphers all
> used a symmetric key length of 56 bits or
> >>> less and are considered
> unsuitable for use by a financial services
> >>> application.
> >>> OpenSSL name:
> EXP-DES-CBC-SHA
> >>> Detailed information: Key
> Exchange: RSA(512); Authentication: RSA;
> >>> Encryption: DES(40); MAC:
> SHA1
> >>> OpenSSL name: EXP-RC4-MD5
> >>> Detailed information: Key
> Exchange: RSA(512); Authentication: RSA;
> >>> Encryption: RC4(40); MAC:
> MD5
> >>> OpenSSL name: DES-CBC-SHA
> >>> Detailed information: Key
> Exchange: RSA; Authentication: "
> >>>
> >>> and the recommendation was
> that the server be configured to remove
> >>> these weak ciphers.
> >>>
> >>> Is this something we do in
> Simple, or do we make changes in the Java
> >>> keystore?
> >>>
> >>> Does anyone have any
> experience of this?
> >>>
> >>> Andy Barlow
> >>>
> >>>
> >>> /
> >>> /
> >>> /
> >>> /
> >>>
> >>>
> >>>
> >>>
> >>> -----Inline Attachment
> Follows-----
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Gaining the trust of
> online customers is vital for the success of
> >>> any company
> >>> that requires sensitive
> data to be transmitted over the Web. Learn
> >>> how to
> >>> best implement a security
> strategy that keeps consumers' information
> >>> secure
> >>> and instills the
> confidence they need to proceed with transactions.
> >>> http://p.sf.net/sfu/oracle-sfdevnl
> >>>
> >>> -----Inline Attachment
> Follows-----
> >>>
> >>>
> _______________________________________________
> >>> Simpleweb-Support mailing
> list
> >>> Sim...@li...
> >>> </mc/compose?to=Sim...@li...>
> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >>>
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Protect Your Site and Customers from Malware
> Attacks
> >>> Learn about various malware tactics and how to
> avoid them. Understand
> >>> malware threats, the impact they can have on
> your business, and how you
> >>> can protect your company and customers by
> using code signing.
> >>> http://p.sf.net/sfu/oracle-sfdevnl
> >>>
> >>>
> >>>
> >>>
> _______________________________________________
> >>> Simpleweb-Support mailing list
> >>> Sim...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >>
> ------------------------------------------------------------------------------
> >> Protect Your Site and Customers from Malware
> Attacks
> >> Learn about various malware tactics and how to
> avoid them. Understand
> >> malware threats, the impact they can have on your
> business, and how you
> >> can protect your company and customers by using
> code signing.
> >> http://p.sf.net/sfu/oracle-sfdevnl
> >> _______________________________________________
> >> Simpleweb-Support mailing list
> >> Sim...@li...
> >> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
> ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid
> them. Understand
> > malware threats, the impact they can have on your
> business, and how you
> > can protect your company and customers by using code
> signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
>
> -----Inline Attachment Follows-----
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them.
> Understand
> malware threats, the impact they can have on your business,
> and how you
> can protect your company and customers by using code
> signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> -----Inline Attachment Follows-----
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
|
From: Niall G. <gal...@ya...> - 2011-01-13 10:07:12
|
Hi,
Yes, you do have access to it. Take a look at the org.simpleframework.transport.Server interface. Notice how it accepts the org.simpleframework.transport.Socket. There is a Socket.getEngine method. Here is where you do what you want.
Niall
--- On Wed, 12/1/11, Fábio Matos <fab...@gm...> wrote:
> From: Fábio Matos <fab...@gm...>
> Subject: Re: [Simpleweb-Support] Removing weaker ciphers from SSL support
> To: "Simple support and user issues" <sim...@li...>
> Received: Wednesday, 12 January, 2011, 4:50 AM
> This also interest me, but it seems
> that Simple does not gives you
> access to the SSLEngine.
>
> Example:
> ...
> Connection connection = new SocketConnection(container);
> connection.connect(address, sslContext);
> ...
>
> Following the trail of the sslContext we get:
> org.simpleframework.transport.connect.*
>
> SocketConnection -> ListenerManager -> Listener ->
> Acceptor
>
> where we have:
>
> private void process(SocketChannel channel) throws
> IOException {
> SSLEngine engine = context.createSSLEngine();
>
> try {
> process(channel, engine);
> } catch(Exception e) {
> channel.close();
> }
> }
>
> this will then follow on and set the engine in the Socket
> used.
>
> So, I don't see any easy way to get access to the SSLEngine
> created to
> call the setEnabledCipherSuites method.
>
>
>
> 2011/1/12 Bruno Harbulot <br...@di...>
> >
> > Hi,
> >
> > I think the problem is that configuring the cipher
> suites is done via
> > the SSLEngine, not via the SSLContext:
> > http://download.oracle.com/javase/6/docs/api/javax/net/ssl/SSLEngine.html#setEnabledCipherSuites%28java.lang.String[]%29
> >
> > One would need to be able to get hold of the SSLEngine
> instance to
> > configure this.
> >
> > Best wishes,
> >
> > Bruno.
> >
> >
> > On 12/01/2011 08:29, Niall Gallagher wrote:
> > > Hi,
> > >
> > > You should be in complete control of SSL. All you
> need to do is create
> > > an SSLContext and pass it to the connection. It
> will create an SSLEngine
> > > per connection.
> > >
> > > There is nothing you need to do in Simple.
> > >
> > > Niall
> > >
> > > --- On *Mon, 10/1/11, Andrew Barlow /<and...@sd...>/*
> wrote:
> > >
> > >
> > > From: Andrew Barlow <and...@sd...>
> > > Subject: [Simpleweb-Support] Removing
> weaker ciphers from SSL support
> > > To: "Simple support and user issues"
> > > <sim...@li...>
> > > Received: Monday, 10 January, 2011, 8:07
> AM
> > >
> > > We have just received the results of a
> security audit on a system
> > > that we developed which uses Simple 4.1.21
> to deliver content over SSL.
> > >
> > > The finding was:
> > >
> > > "Three weak SSL ciphers were noted as being
> supported by the web
> > > server. These ciphers all used a symmetric
> key length of 56 bits or
> > > less and are considered unsuitable for use
> by a financial services
> > > application.
> > > OpenSSL name: EXP-DES-CBC-SHA
> > > Detailed information: Key Exchange:
> RSA(512); Authentication: RSA;
> > > Encryption: DES(40); MAC: SHA1
> > > OpenSSL name: EXP-RC4-MD5
> > > Detailed information: Key Exchange:
> RSA(512); Authentication: RSA;
> > > Encryption: RC4(40); MAC: MD5
> > > OpenSSL name: DES-CBC-SHA
> > > Detailed information: Key Exchange: RSA;
> Authentication: "
> > >
> > > and the recommendation was that the server
> be configured to remove
> > > these weak ciphers.
> > >
> > > Is this something we do in Simple, or do we
> make changes in the Java
> > > keystore?
> > >
> > > Does anyone have any experience of this?
> > >
> > > Andy Barlow
> > >
> > >
> > > /
> > > /
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > -----Inline Attachment Follows-----
> > >
> > >
> ------------------------------------------------------------------------------
> > > Gaining the trust of online customers is
> vital for the success of
> > > any company
> > > that requires sensitive data to be
> transmitted over the Web. Learn
> > > how to
> > > best implement a security strategy that
> keeps consumers' information
> > > secure
> > > and instills the confidence they need to
> proceed with transactions.
> > > http://p.sf.net/sfu/oracle-sfdevnl
> > >
> > > -----Inline Attachment Follows-----
> > >
> > >
> _______________________________________________
> > > Simpleweb-Support mailing list
> > > Sim...@li...
> > > </mc/compose?to=Sim...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> > >
> > >
> > >
> > >
> > >
> ------------------------------------------------------------------------------
> > > Protect Your Site and Customers from Malware
> Attacks
> > > Learn about various malware tactics and how to
> avoid them. Understand
> > > malware threats, the impact they can have on your
> business, and how you
> > > can protect your company and customers by using
> code signing.
> > > http://p.sf.net/sfu/oracle-sfdevnl
> > >
> > >
> > >
> > > _______________________________________________
> > > Simpleweb-Support mailing list
> > > Sim...@li...
> > > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
> >
> >
> ------------------------------------------------------------------------------
> > Protect Your Site and Customers from Malware Attacks
> > Learn about various malware tactics and how to avoid
> them. Understand
> > malware threats, the impact they can have on your
> business, and how you
> > can protect your company and customers by using code
> signing.
> > http://p.sf.net/sfu/oracle-sfdevnl
> > _______________________________________________
> > Simpleweb-Support mailing list
> > Sim...@li...
> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them.
> Understand
> malware threats, the impact they can have on your business,
> and how you
> can protect your company and customers by using code
> signing.
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X