tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Getting DH parameters from an SSLSocket
Date Thu, 29 Sep 2016 16:52:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 9/29/16 5:38 AM, Mark Thomas wrote:
> On 28/09/2016 22:14, Christopher Schultz wrote:
>> Mark,
>> 
>> On 9/19/16 4:32 PM, Mark Thomas wrote:
>>> On 19/09/2016 21:20, Christopher Schultz wrote:
>>>> All,
>>>> 
>>>> On 8/31/16 12:45 PM, Christopher Schultz wrote:
>>>>> All,
>>>> 
>>>>> This isn't Tomcat-related, but many folks on this list
>>>>> have this kind of experience, so I'm asking in case anyone
>>>>> knows.
>>>> 
>>>>> I'd like to make an HTTPS connection to a server and, if
>>>>> I'm using non-ephemeral DH key exchange, I'd like to know
>>>>> what the parameters are for that connection. Actually, I
>>>>> don't really care if it's ephemeral or not.
>>>> 
>>>>> What I'm looking for is the ability to make a connection
>>>>> and then warn if the connection is using "weak" DH
>>>>> parameters. Is that something I can check at
>>>>> connection-time? Or is the set of DH parameters (or, more
>>>>> specifically, the *length* of those parameters, in bits)
>>>>> defined by the cipher suite itself?
>>>> 
>>>>> For example, the Qualys community thread has an
>>>>> illustration of the cipher suites that SSLLabs considers
>>>>> "weak" (well, everyone considers them weak... they just
>>>>> have a public tool which complains about them): 
>>>>> https://community.qualys.com/thread/14821
>>>> 
>>>>> They specifically mention e.g. 
>>>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 which is cipher suite
>>>>> 0x9f and mention the DH parameters. Are those parameters'
>>>>> parameters baked-into the cipher suite (meaning they are
>>>>> *always* 1024-bit) or is this a configuration of the server
>>>>> that makes those cipher suites weak due to the specific DH
>>>>> parameter choice?
>>>> 
>>>>> In either case, I'd like to be able to sniff that
>>>>> information from the connection if at all possible. Does
>>>>> anyone know if this can be done, and how?
>>>> 
>>>>> Thanks, -chris
>>>> 
>>>> It seems that this isn't possible.
>>>> 
>>>> Does anyone on the list have the karma required to file an 
>>>> enhancement request for the Java API? Or does everything need
>>>> to be a darned JSR?
>> 
>>> I recommend starting with the security-dev@openjdk.java.net
>>> mailing list.
>> 
>>> As far as I know, the process is to raise a bug/enhancement 
>>> request against Java. From my own experience with the memory
>>> leak bugs, it helps a lot if an OpenJDK committer has already
>>> agreed to try and do something about it.
>> 
>> So... crickets so far.
>> 
>> Any suggestions?
> 
> Open an enhancement request and the next time Rory posts to the dev
> list about Java 9 respond with a request to look at your
> enhancement request.
> 
> The more you can tie it back to something that Tomcat needs to
> improve security, the greater the chances of something happening.

Okay.

> That is how I got the memory leak stuff fixed. The advantage I had
> was they were all clear bugs and I had simple tests cases (most of
> the time) to demonstrate them.

Yeah, this is clearly an enhancement request. So, maybe less incentive.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX7UbWAAoJEBzwKT+lPKRYSPMP/1KdZsvY2TqUKqYsu0NSebOF
4jaZVdtG/09JUBjS74qVtujqSS2Kn+wxxqljzZJYL5/sekiXJBu4kjGNwFy1azsM
VkpH1es8x/xGunfUYWDSxYDmofHjaOhPRXm0zNN42ZFb/b2ssa5x5I0IB+xBwuuS
PM/wLcbkUmm/RoabVEUO6Eb7SABKIOCokd5SGNDOY8bPb6xeFrjRDKv5U+6U9cIM
XEXVcOY5UvIwBTxa9mCxOB8uHIC3TiEhVecxToFRD5WK7FJ9BfDpBqLBKYdNK+fF
8500tYH8iWYLO1MmBKS3xsppUIiDu2a1xF7TXTQR41nM6NMeNF6TSBQQoUp0N+bU
F6NNKUHRZMNkv6C1XX7t8gFGg/xP1hYw0IvNkkZjKakptnW84bm1P0VY6D+ZI0TS
HOGpkg8jP7oNrsQEX+IK3HjEYRAHT+j0HR8u6q0Zmal3bkqJ9cjXsYMLHUOEgZAB
BFnawEHsvb87mU3E1uK58F3zzBvnyLq1eU4q9gq1BBQ2vZpufIuYnH2u9l3rWQda
ldG5pjZ/zcHkokO8O0OPo8Eu3MOsG4reSHHIITnLH1AlyaMMyOBCkqpnBZttTIMm
gV3QVI5bjpQ3RNhS0nKZkZycmIBvCgbreMo5zpVZsbe7leHh4SPwSU5ccJiL1YOd
8/83xNVMFvBPx4eX3UWZ
=Z14m
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message