On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: > Howdy, > > Please refer to: > > http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) > http://bugs.caucho.com/view.php?id=2360
I've added this information as a note to 3431. Now that we've released 4.0.0, we can start clearing out the old, stalled bug reports. -- Scott > > > > We're using Resin Pro 3.1.6 and trying to limit the cipher suites for > JSSE. I couldn't find the documentation, but through trial and error > was > able to discover that http stanza allows this syntax for setting > ciphers... > > <host port="443" host="some.host"> > <jsse-ssl> > <cipher-suites>SSL_RSA_WITH_RC4_128_MD5,[more]</cipher-suites> > <key-store-type>... > <key-store-file>... > <password>... > </jsse-ssl> > </host> > > But running THCSSLCheck didn't show any change to the ciphers. > > I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the > following changes... > > 1) in the public QServerSocket create(InetAddress host, int port) > method, there is a check for _cipherSuites != null. That if stmt > includes the following line: > sslContext.createSSLEngine().setEnabledCipherSuites(_cipherSuites); > While this appears to do what I need, it doesn't appear to really > affect > anything. I'm not sure where the new SSLEngine is used. The > SSLServerSocketFactory is established in the same if block, but > nothing > new is set there. > > 2) there is some commented code below that method that looks like it > was > setting protocols - pretty close to ciphers. I added the following > just > before the return stmt: > sslServerSocket.setEnabledCipherSuites( _cipherSuites ); > And now I see a difference with THCSSLCheck. > > Scott, I haven't looked any further than JsseSSLFactory and Port, so I > don't know if this was supposed to be handled somewhere else. And I'm > not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I > think we're in the minority running JSSE, but it works well enough > for us. > > We upgraded to 3.1.6 because this was reported as fixed on this > version, > but obviously this isn't. Maybe there might be confusion with the > https.cipherSuites system property/java-args usage versus the socket > cipher suites - which would be my bad for not asking for the right > thing. If I understand the https.cipherSuites properly (now), that is > when you run as a client versus the server. To set server ciphers you > need to interact with the API directly - like the > SSLServerSocketFactory > does. > > This may be why 3431 was opened. > > Is this a reasonable fix if we were to run 3.1.6mine? Has this been > fixed in newer revisions? Are there others running JSSE with an > interest > in limiting the cipher suites and possibly the protocols? > > + jay > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
