tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [OT] Getting DH parameters from an SSLSocket
Date Wed, 31 Aug 2016 16:45:47 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

This isn't Tomcat-related, but many folks on this list have this kind
of experience, so I'm asking in case anyone knows.

I'd like to make an HTTPS connection to a server and, if I'm using
non-ephemeral DH key exchange, I'd like to know what the parameters
are for that connection. Actually, I don't really care if it's
ephemeral or not.

What I'm looking for is the ability to make a connection and then warn
if the connection is using "weak" DH parameters. Is that something I
can check at connection-time? Or is the set of DH parameters (or, more
specifically, the *length* of those parameters, in bits) defined by
the cipher suite itself?

For example, the Qualys community thread has an illustration of the
cipher suites that SSLLabs considers "weak" (well, everyone considers
them weak... they just have a public tool which complains about them):
https://community.qualys.com/thread/14821

They specifically mention e.g. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
which is cipher suite 0x9f and mention the DH parameters. Are those
parameters' parameters baked-into the cipher suite (meaning they are
*always* 1024-bit) or is this a configuration of the server that makes
those cipher suites weak due to the specific DH parameter choice?

In either case, I'd like to be able to sniff that information from the
connection if at all possible. Does anyone know if this can be done,
and how?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXxwm7AAoJEBzwKT+lPKRYQkcQAIP4N1HE9ImfYz2bnIq0YOzl
vNmiatTlKE0PvYVOa1efCnjEho3JgJUp0LwB+OZXFt22mbQu5SOwnKjGx2TfZi4g
Efs6EQ56ya25AmkUDEtNDgTi1jrP7rbHMLuGpK7yU1amURUwrZs7/f9s52d+WSgm
/QPQoJsgv5cZEqopRBubCrcr+QOUgXYPVTJV1XPLzfKMTpDLTg8Y3HbjGuauQ6Q0
KUmdc726TQPqY7GB/etRO+2oBGS9JnSsb8yMf9mf/UbTJV753BnMdTrQ7fnh4omJ
/widG9TBWTMpBLmQG8hW9D5qwyRedadfhXB+S3jEKEfa84DxBABHi39O2KBPaQQH
6jgjp/64jrlai4EFVpOjFoyStV2yXVPODCqcW4dZ1BO+01FyXIDphe6F1zULelKa
LNhtxd0m36BqEBr2ytKtcQ1BiMPEUJukB16qBxRG5PStZh2JqK0kvs7KxFf6vcqK
H91wY51/H0zMbrq1yccQhR6HzmO6OHVHTKMnc1IILVizJX/T1JjrktNbyp9a+ahH
pXsSbTQU12IeHlash3ZYbn0czK0nBzJ6dI+/+JoA0HIYQY4xpt7XKiBL0xbPZGeP
Ryi6ICkUGHRlTj1H1tAKAcmYDyosKwYM1peEY/lIc3d07PTCE15BobzZopPwfqwA
8PTkRy//IlSN5VEltU8E
=0EqP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message