directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [Studio] apacheDS 2.0 config plugin
Date Thu, 22 Jan 2015 10:08:25 GMT
Le 22/01/15 00:07, Kiran Ayyagari a écrit :
> On Thu, Jan 22, 2015 at 6:45 AM, Emmanuel Lécharny <elecharny@gmail.com>
> wrote:
>
>> Some update :
>>
>> I have now set a list of existing and supported Cipher for the user to
>> select. It looks like this :
>>
>>  .--------------------------------.
>>  |V SSL Advanced Settings         |
>>  +--------------------------------+
>>  |  [X] Require Client Auth       |
>>  |    [X] Request Client Auth     |
>>  |  Ciphers suite :               |
>>  |   +--------------------------+ |
>>  |   |[X] xyz                   | |
>>  |   |[X] abc                   | |
>>  |   |[X] def                   | |
>>  |   +--------------------------+ |
>>  | Enabled protocols :            |
>>  | [X] SSLv3  [X] TLSv1           |
>>  |        [X] TLSv1.1 [X] TLSv1.2 |
>>  +--------------------------------+
>>
>> You can select one or more ciphers, all of them are selected by default.
>> The selection is done based on the underlying JAVA version used on the
>> server, so I have to add a checkbox to select either Java 7 or Java 8.
>>
>> this setting can quickly become stale, especially at the pace java
> versions are EOLed
>
> Instead I suggest we provide a textbox (in the advance options) to let the
> user key in
> the desired cipher if none is needed beside the default ciphers.

Ok, let's face reality here :

    do you really want users to type things like
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ?

When using SSL, the security provider to use is JSSE, which comes with a
list of supported ciphers, which are either enabled or disabled. This is
quite a long list, and there is no mean to add some cipher from this
list, because they won't be supported anyway.

The issue is what list of ciphers will Java 9 support ? We don't know
yet. But adding a support for those ciphers is just a matter of adding
them to the SupportedCipher enum, and add a new JavaVersion in the combo
I'm currently adding in this tab.


Mime
View raw message