tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien Terrestris <aterrest...@gmail.com>
Subject Re: Tomcat 7 / Java 7 with TLS 1.2 algorithms
Date Fri, 23 Aug 2013 09:51:09 GMT
It seems incorrect to me because RFC 5246 in "1.2 Major Differences
from TLS 1.1" says this :

..
"All cipher suites in this document use P_SHA256."
..
"Added HMAC-SHA256 cipher suites"

I can't read anywhere that SHA384 and others "SHOULD" or "MUST" be implemented.

Other RFCs updating this 5246 (5746, 5878, 6176 and Errata) don't talk
about this either.


However, in 5246 "5. HMAC and the Pseudorandom Function" we can read :

"In this section, we define one PRF, based on HMAC. This PRF with the
   SHA-256 hash function is used for all cipher suites defined in this
   document and in TLS documents published prior to this document when
   TLS 1.2 is negotiated.  New cipher suites MUST explicitly specify a
   PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a
   stronger standard hash function.
"

This allows future usage of SHA384 and others, if defined correctly.


regards
A.T.

2013/8/22 Martin Gainty <mgainty@hotmail.com>:
> point of confusion Eric Rescorla specifically cites SHA384 in his cipher examples for
TLS 1.2 Update
>
> http://www.ietf.org/rfc/rfc5246.txt
> http://www.ietf.org/proceedings/70/slides/tls-0.pdf
>
> Kuat Eshengazin used bltest as a test harness for SHA384
>
> bltest -R -m prf_sha384 -k tests/prf_sha384/key0 -t
> tests/prf_sha384/seed0 -h -g 148 -x
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=480514
>
> Is this incorrect?
> Martin
> ______________________________________________
> Please do not alter or disrupt this transmission..Thank You
>
>
>
>
>> Date: Thu, 22 Aug 2013 14:53:55 +0100
>> Subject: Re: Tomcat 7 / Java 7 with TLS 1.2 algorithms
>> From: aterrestris@gmail.com
>> To: users@tomcat.apache.org
>>
>> According to RFC 5246 Appendix C (TLS 1.2), there is no SHA384. See :
>> http://www.ietf.org/rfc/rfc5246.txt
>>
>> The JSSE Reference Guide also doesn't talk about this SHA384 as an
>> implementation requirement. See :
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
>>
>> This means you have a problem with SHA256 only. Maybe it's easier to
>> test on client-side, with one of the following ciphers (that you find
>> on the same Reference Guide ) for example :
>>
>> TLS_DH_RSA_WITH_AES_256_CBC_SHA256
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
>>
>> Let me know if this works, or I will try to test by myself with my own client.
>>
>>
>>
>> 2013/8/22 Dennis Sosnoski <dms@sosnoski.com>:
>> > I've already done that, though as far as I can see that doesn't effect the
>> > digest algorithms (only the encryption options).
>> >
>> > - Dennis
>> >
>> >
>> > On 08/23/2013 12:24 AM, Aurélien Terrestris wrote:
>> >>
>> >> Hello
>> >>
>> >> I suppose you need to run your JVM with the unrestricted policy files (on
>> >> b=
>> >> oth client and server sides). You have to download them from Oracle
>> >> website=
>> >> for your java version, and replace the old.
>> >>
>> >> These files are :
>> >> local_policy.jar
>> >> US_export_policy.jar
>> >>
>> >> Regards
>> >>
>> >> 2013/8/22 <dms@sosnoski.com>:
>> >>>
>> >>> Tomcat 7.0.40 seems to work well with TLS 1.2, forced by using a
>> >>> sslEnabledProtocols="TLSv1.2" attribute on the <Connector>. But
I haven't
>> >>> been able to make it work with any of the SHA256/384 algorithms - they
>> >>> always show up in the "Ignoring unsupported cipher suite" list. I get
the
>> >>> same thing happening when I try to use them from client code, so I know
it's
>> >>> not a Tomcat issue, but I'm hoping someone knows a workaround.
>> >>>
>> >>> Any suggestions?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> - Dennis
>> >>>
>> >>>
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >>> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message