tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Restricting ciphers
Date Fri, 11 Jan 2013 03:35:05 GMT

its a simple question what does ciphers parameter in Connector have anything to do with the
supported ciphers from the key itself the 2 are disconnected
please dont waste my time and anyone elses with insults when you are unable to answer this
simple question
Martin Gainty 
___________________________________________ When Free Speech and Discovery are replaced by
Confusion and Obfuscation its time to move > Date: Thu, 10 Jan 2013 18:25:02 -0500
> From: chris@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Restricting ciphers
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Martin,
> 
> Honestly, I'm not sure why I'm feeding the troll at this point. Maybe
> I'm trying to atone for some horrible crime I can't remember.
> 
> On 1/10/13 10:05 AM, Martin Gainty wrote:
> > terminology :
> 
> Nobody was arguing about terminology. Next time, just refer to
> Wikipedia like everyone else.
> 
> > All you don't know is whether those certificate & private key are
> > RSA or DSA algorithms
> 
> It doesn't matter: you can use RSA (like everyone does) or DSA and
> that will only determine the type of key you have. The cipher can (and
> will, since SSL/TLS encryption is symmetric and not PK) use a
> different algorithm for encryption.
> 
> > you see if it's an RSA or DSA key (along with the key size).
> 
> Again, key size is only relevant for people who think that bigger is
> better. You can create a 16k key and it won't be much more secure than
> an 8k key. Stronger crypto, yes, but nobody tries to guess SSL keys:
> they use compression (e.g. CRIME) and other nasty tricks so they don't
> have to do the hard work of key-cracking.
> 
> > cipherGroup is categorised by keysize within cipher-groups (usually
> > a 4digit number which is a power  of 2 e.g. 1024 and 2048)
> 
> Sorry, ciphers and keys are not interchangeable: keys usually have 1k,
> 2k, 4k, etc. bits in them while symmetric ciphers usually max out at
> 256-bit key sizes. Try running some of the commands you are grabbing
> off the web to see what I'm talking about.
> 
> I've never heard the term "cipherGroup".
> 
> > ECB, CBC and PCBC are the usual choices for the optional 
> > ModeOfOperation parameter Determining the ALGO-CIPHER supported by 
> > your key so we can see that public keys contain a algorithm-cipher 
> > combination but how to determine the algo-cipher supported by your 
> > key:
> 
> Sorry, your key can support (essentially) arbitrary ciphers. Your key
> type has no bearing on whether or not ECB, CBC, etc. can be used.
> 
> > keytool -list -v -keystore fubar.pfx -storetype PKCS12 Here is
> > output: Certificate fingerprints: MD5:           SHA1:
> > Signature algorithm name: SHA1withRSA Providers (SUN, SunJCE,
> > SunJSSE,SunRsaSign, IBMJSSE, bcprov-jdkNN-MMM) Lets stick with
> > SunJSSE as our provider supported ciphers will be those ciphers
> > which match SHA1 with RSA from this list:
> 
> Wrong again: the signature algorithm used to fingerprint your own key
> has no bearing on the message digests usable for your ciphers.
> 
> > so what you are asking Tomcat Connector to do is
> > 
> > 1)export contents of supplied keystoreFile key of keystoreType 
> > PKCS12
> > 
> > 2)determine Signature algorithm name
> > 
> > 3)aggregate cipherSuite by determining Signature specific
> > supported ciphers from Signature algorithm name from 
> > http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
> >
> >
> > 
> 4)reference ciphers attribute from Tomcat <Connector
> > 
> > 5)determine SignatureSpecificSupportedCiphers from 3) and
> > implement ONLY those ciphers which match exactly to the ciphers
> > listed in Tomcat Connector 5)
> 
> None of the previous 5 items is accurate.
> 
> > (i have not seen this currently implemented)
> 
> That's because Tomcat does something else. Actually, JSSE does all the
> heavy-lifting: Tomcat just configures the TrustStore and a few other
> things and then lets JSSE take over. Or OpenSSL if you're using
> APR/native.
> 
> Now, if you've had enough, kindly stop confusing people.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> 
> iEYEAREIAAYFAlDvTc4ACgkQ9CaO5/Lv0PC70gCgqL83yS3LxAqhS+eAFi1StwPU
> J5kAoMPWqUx/qnoB8gBla4gkRSWbpswO
> =W6U2
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message