directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Pell <ja...@pellcorp.com>
Subject Re: TLS Support
Date Tue, 09 Sep 2014 21:29:33 GMT
Or just copy the US policy file to the local one. Its already included in
the JVM (at least on Linux)
On 10/09/2014 12:47 AM, "Emmanuel Lécharny" <elecharny@gmail.com> wrote:

>
> You may need to install the JCEunlimited strength juridiction policy
> file from
>
> http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
> in order to have Java support AES 256.
>
>
> Le 09/09/14 15:53, Victor Medina a écrit :
> > root@ldap001:/home/administrador# openssl s_client -connect
> localhost:10636
> > CONNECTED(00000003)
> > depth=0 C = US, O = ASF, OU = Directory, CN = ldap001.test.local
> > verify error:num=20:unable to get local issuer certificate
> > verify return:1
> > depth=0 C = US, O = ASF, OU = Directory, CN = ldap001.test.local
> > verify error:num=27:certificate not trusted
> > verify return:1
> > depth=0 C = US, O = ASF, OU = Directory, CN = ldap001.test.local
> > verify error:num=21:unable to verify the first certificate
> > verify return:1
> > ---
> > Certificate chain
> >  0 s:/C=US/O=ASF/OU=Directory/CN=ldap001.test.local
> >    i:/C=US/O=ASF/OU=Directory/CN=ApacheDS
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIIBfTCCAScCBgFIVuerVjANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEM
> > MAoGA1UEChMDQVNGMRIwEAYDVQQLEwlEaXJlY3RvcnkxETAPBgNVBAMTCEFwYWNo
> > ZURTMB4XDTE0MDkwODIwMTQ1NloXDTE1MDkwODIwMTQ1NlowTDELMAkGA1UEBhMC
> > VVMxDDAKBgNVBAoTA0FTRjESMBAGA1UECxMJRGlyZWN0b3J5MRswGQYDVQQDExJs
> > ZGFwMDAxLnRlc3QubG9jYWwwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApzet+vAT
> > GSioE1Gqf6CDdHlZYu/wQjS0Go/43LCZxfZ48W6jnn4Kl1ZAkCLlZF1mTKD1bZpn
> > dtlJmnJw8v3X4wIDAQABMA0GCSqGSIb3DQEBBQUAA0EAEZKUIUbQ7SxqO2GrFCwK
> > AUqQUu1L3TiSo8anFIx9ADG+H0Ac8x+s4hTIljddPYdE0sC12+z+y58a6eNdL5fO
> > OA==
> > -----END CERTIFICATE-----
> > subject=/C=US/O=ASF/OU=Directory/CN=ldap001.test.local
> > issuer=/C=US/O=ASF/OU=Directory/CN=ApacheDS
> > ---
> > No client certificate CA names sent
> > ---
> > SSL handshake has read 837 bytes and written 567 bytes
> > ---
> > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
> > Server public key is 512 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-RSA-AES256-SHA384
> >     Session-ID:
> > 540F05BAF680AD3AF54796DA292A8EDCCADDE28677AE541EA4772A81DBA04B08
> >     Session-ID-ctx:
> >     Master-Key:
> >
> 981A10E4F208E3F003B91C9F5E67230DCB64A50876E680F0A04FD597622B6011820083B6F7F0D7A64D8FC69CFEFC3205
> >     Key-Arg   : None
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     Start Time: 1410270650
> >     Timeout   : 300 (sec)
> >     Verify return code: 21 (unable to verify the first certificate)
> > ---
> >
> > It seems very strong to me, I was looking if it supported GCM, which
> seems
> > faster.
> >
> > 2014-09-09 9:10 GMT-04:30 Victor Medina <victor.medina@cibersys.com>:
> >
> >> so...
> >>
> >> where can i find a list of valdi values for TLS Cipher suite?
> >> ads-enabledCipherSuites
> >>
> >> 2014-09-09 8:58 GMT-04:30 Emmanuel Lécharny <elecharny@gmail.com>:
> >>
> >> Le 09/09/14 14:05, Kiran Ayyagari a écrit :
> >>>> On Tue, Sep 9, 2014 at 5:35 PM, Victor Medina <
> >>> victor.medina@cibersys.com>
> >>>> wrote:
> >>>>
> >>>>> But I believe it uses bouncy castle right?
> >>>>>
> >>>>> yes
> >>> Not anymore for that purpose. We only use the X509 utiliy classes from
> >>> BC. Everything else is handled by the default Java security classes.
> >>>
> >>>
> >>
> >> --
> >>
> >> Víctor E. Medina M.
> >> Software
> >> +58424 291 4561
> >> BB #79A8AFA2 /@VMCibersys
> >>
> >>
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message