tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Restricting ciphers
Date Thu, 10 Jan 2013 23:25:02 GMT
Hash: SHA256


Honestly, I'm not sure why I'm feeding the troll at this point. Maybe
I'm trying to atone for some horrible crime I can't remember.

On 1/10/13 10:05 AM, Martin Gainty wrote:
> terminology :

Nobody was arguing about terminology. Next time, just refer to
Wikipedia like everyone else.

> All you don't know is whether those certificate & private key are
> RSA or DSA algorithms

It doesn't matter: you can use RSA (like everyone does) or DSA and
that will only determine the type of key you have. The cipher can (and
will, since SSL/TLS encryption is symmetric and not PK) use a
different algorithm for encryption.

> you see if it's an RSA or DSA key (along with the key size).

Again, key size is only relevant for people who think that bigger is
better. You can create a 16k key and it won't be much more secure than
an 8k key. Stronger crypto, yes, but nobody tries to guess SSL keys:
they use compression (e.g. CRIME) and other nasty tricks so they don't
have to do the hard work of key-cracking.

> cipherGroup is categorised by keysize within cipher-groups (usually
> a 4digit number which is a power  of 2 e.g. 1024 and 2048)

Sorry, ciphers and keys are not interchangeable: keys usually have 1k,
2k, 4k, etc. bits in them while symmetric ciphers usually max out at
256-bit key sizes. Try running some of the commands you are grabbing
off the web to see what I'm talking about.

I've never heard the term "cipherGroup".

> ECB, CBC and PCBC are the usual choices for the optional 
> ModeOfOperation parameter Determining the ALGO-CIPHER supported by 
> your key so we can see that public keys contain a algorithm-cipher 
> combination but how to determine the algo-cipher supported by your 
> key:

Sorry, your key can support (essentially) arbitrary ciphers. Your key
type has no bearing on whether or not ECB, CBC, etc. can be used.

> keytool -list -v -keystore fubar.pfx -storetype PKCS12 Here is
> output: Certificate fingerprints: MD5:           SHA1:
> Signature algorithm name: SHA1withRSA Providers (SUN, SunJCE,
> SunJSSE,SunRsaSign, IBMJSSE, bcprov-jdkNN-MMM) Lets stick with
> SunJSSE as our provider supported ciphers will be those ciphers
> which match SHA1 with RSA from this list:

Wrong again: the signature algorithm used to fingerprint your own key
has no bearing on the message digests usable for your ciphers.

> so what you are asking Tomcat Connector to do is
> 1)export contents of supplied keystoreFile key of keystoreType 
> PKCS12
> 2)determine Signature algorithm name
> 3)aggregate cipherSuite by determining Signature specific
> supported ciphers from Signature algorithm name from 
4)reference ciphers attribute from Tomcat <Connector
> 5)determine SignatureSpecificSupportedCiphers from 3) and
> implement ONLY those ciphers which match exactly to the ciphers
> listed in Tomcat Connector 5)

None of the previous 5 items is accurate.

> (i have not seen this currently implemented)

That's because Tomcat does something else. Actually, JSSE does all the
heavy-lifting: Tomcat just configures the TrustStore and a few other
things and then lets JSSE take over. Or OpenSSL if you're using

Now, if you've had enough, kindly stop confusing people.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message