hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 36645] New: - Document how to limit available enabled ciphers AuthSSLProtocolSocketFactory and StrictSSLProtocolSocketFactory
Date Tue, 13 Sep 2005 19:20:47 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=36645>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=36645

           Summary: Document how to limit available enabled ciphers
                    AuthSSLProtocolSocketFactory and
                    StrictSSLProtocolSocketFactory
           Product: HttpClient
           Version: Nightly Builds
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Commons HttpClient
        AssignedTo: httpclient-dev@jakarta.apache.org
        ReportedBy: hauser@acm.org


Another Man-in-the-Middle attack is to alter the cipherlists exchanged during
the SSL handshake. Often servers are not properly configured and due to lack of
"Secure By Default" (Bug 35765) weak 40 bit export ciphers or even null-ciphers
can be forced upon the participants without them really noticing.
Sure, this should primarily be in the server's responsibility, but since we
often cannot control what server admins are doing, the prudent thing to do to
protect your own https connections it to ensure that at least the client under
your control watches out for this.

I have built my own implementation extending javax.net.ssl.SSLSocketFactory that
lets me control the String[] enabledCipherSuites of each socket created.

However, I don't really see how I could bring that to fruition without foregoing
or duplicating all the virtues of AuthSSLProtocolSocketFactory and
StrictSSLProtocolSocketFactory. If this is possible, please document, otherwise
I suggest to enhance the class in order to be able to do so.

Just FYI, take my favourite paypal.com - a quick analysis with the tool in
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1162 reveals that they
for example are susceptible to that attack:
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 supported
SSL_CK_DES_64_CBC_WITH_MD5 supported
SSL_CK_IDEA_128_CBC_WITH_MD5 supported
SSL_CK_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 supported
SSL_CK_RC2_CBC_128_CBC_WITH_MD5 supported
SSL_CK_RC4_128_EXPORT40_WITH_MD5 supported
SSL_CK_RC4_128_WITH_MD5 supported
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA supported
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA supported
SSL_DHE_RSA_WITH_DES_CBC_SHA supported
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA supported
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 supported
SSL_RSA_EXPORT_WITH_RC4_40_MD5 supported
SSL_RSA_WITH_3DES_EDE_CBC_SHA supported
SSL_RSA_WITH_DES_CBC_SHA supported
SSL_RSA_WITH_IDEA_CBC_SHA supported
SSL_RSA_WITH_RC4_128_MD5 supported
SSL_RSA_WITH_RC4_128_SHA supported
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA supported
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA supported
TLS_DHE_RSA_WITH_AES_128_CBC_SHA supported
TLS_DHE_RSA_WITH_AES_256_CBC_SHA supported
TLS_DHE_RSA_WITH_DES_CBC_SHA supported
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA supported
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA supported
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA supported
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 supported
TLS_RSA_EXPORT_WITH_RC4_40_MD5 supported
TLS_RSA_WITH_3DES_EDE_CBC_SHA supported
TLS_RSA_WITH_AES_128_CBC_SHA supported
TLS_RSA_WITH_AES_256_CBC_SHA supported
TLS_RSA_WITH_DES_CBC_SHA supported
TLS_RSA_WITH_IDEA_CBC_SHA supported
TLS_RSA_WITH_RC4_128_MD5 supported

see also Bug 19218 (perhaps this idea might have some merit after all)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message