| Anonymous | Login | Signup for a new account | 04-18-2024 13:13 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0003431 | [Resin] | minor | always | 04-02-09 06:35 | 08-12-09 18:31 | ||||
| Reporter | vbavin | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | 3.1.8 | ||||||
| Summary | 0003431: reopen?: 0002360: jsse cipher-suites | ||||||||
| Description |
I'm currently using JSSE vs. OpenSSL for my SSL configuration. I now need to restrict the ciphers so use of the weaker ciphers are not allowed; for instance, anything < 128-bit. The JSSE documentation says that the following system property can be used to set the enabled ciphers, assuming that they are supported. Setting this property seems to have no impact on the ciphers being used by Resin, however. <system-property https.cipherSuites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"/> and jsse-ssl/cipher-suites TLS_RSA_WITH_AES_128_CBC_SHA not work too |
||||||||
| Additional Information | |||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0003981) ferg 05-06-09 09:37 |
We're using Resin Pro 3.1.6 and trying to limit the cipher suites for JSSE. I couldn't find the documentation, but through trial and error was able to discover that http stanza allows this syntax for setting ciphers... <host port="443" host="some.host"> <jsse-ssl> <cipher-suites>SSL_RSA_WITH_RC4_128_MD5,[more]</cipher-suites> <key-store-type>... <key-store-file>... <password>... </jsse-ssl> </host> But running THCSSLCheck didn't show any change to the ciphers. I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the following changes... 1) in the public QServerSocket create(InetAddress host, int port) method, there is a check for _cipherSuites != null. That if stmt includes the following line: sslContext.createSSLEngine().setEnabledCipherSuites(_cipherSuites); While this appears to do what I need, it doesn't appear to really affect anything. I'm not sure where the new SSLEngine is used. The SSLServerSocketFactory is established in the same if block, but nothing new is set there. 2) there is some commented code below that method that looks like it was setting protocols - pretty close to ciphers. I added the following just before the return stmt: sslServerSocket.setEnabledCipherSuites( _cipherSuites ); And now I see a difference with THCSSLCheck. Scott, I haven't looked any further than JsseSSLFactory and Port, so I don't know if this was supposed to be handled somewhere else. And I'm not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I think we're in the minority running JSSE, but it works well enough for us. We upgraded to 3.1.6 because this was reported as fixed on this version, but obviously this isn't. Maybe there might be confusion with the https.cipherSuites system property/java-args usage versus the socket cipher suites - which would be my bad for not asking for the right thing. If I understand the https.cipherSuites properly (now), that is when you run as a client versus the server. To set server ciphers you need to interact with the API directly - like the SSLServerSocketFactory does. This may be why 3431 was opened. Is this a reasonable fix if we were to run 3.1.6mine? Has this been fixed in newer revisions? Are there others running JSSE with an interest in limiting the cipher suites and possibly the protocols? |
|
(0004086) stbu 06-22-09 12:52 |
Would it be possible that the issue with weak ciphers in JSSE-SSL configuration could be fixed with Resin 3.1.10? |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 04-02-09 06:35 | vbavin | New Issue | |
| 04-02-09 06:35 | vbavin | Issue Monitored: vbavin | |
| 05-06-09 09:37 | ferg | Note Added: 0003981 | |
| 05-06-09 10:40 | stbu | Issue Monitored: stbu | |
| 05-07-09 16:16 | jay | Issue Monitored: jay | |
| 06-22-09 12:52 | stbu | Note Added: 0004086 | |
| 08-12-09 18:31 | ferg | Assigned To | => ferg |
| 08-12-09 18:31 | ferg | Status | new => closed |
| 08-12-09 18:31 | ferg | Resolution | open => fixed |
| 08-12-09 18:31 | ferg | Fixed in Version | => 4.0.2 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
36 total queries executed. 29 unique queries executed. |  |
