Thanks for adding the notes to issue 3431. I was hoping that Scott and Emil could chime in where I think the changes need to happen. We're wanting to implement 3.1.6 (up to 3.1.9) in our production environments, and this change is key to that development.
If this is a logical place to start, we may implement 3.1.6x until 3.1.10 is available. ;) Have you guys had a chance to take a quick look, yet? + jay Scott Ferguson wrote: > On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: > >> Howdy, >> >> Please refer to: >> >> http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) >> http://bugs.caucho.com/view.php?id=2360 > > I've added this information as a note to 3431. Now that we've > released 4.0.0, we can start clearing out the old, stalled bug reports. > > -- Scott > >> >> >> We're using Resin Pro 3.1.6 and trying to limit the cipher suites for >> JSSE. I couldn't find the documentation, but through trial and error >> was >> able to discover that http stanza allows this syntax for setting >> ciphers... >> >> <host port="443" host="some.host"> >> <jsse-ssl> >> <cipher-suites>SSL_RSA_WITH_RC4_128_MD5,[more]</cipher-suites> >> <key-store-type>... >> <key-store-file>... >> <password>... >> </jsse-ssl> >> </host> >> >> But running THCSSLCheck didn't show any change to the ciphers. >> >> I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the >> following changes... >> >> 1) in the public QServerSocket create(InetAddress host, int port) >> method, there is a check for _cipherSuites != null. That if stmt >> includes the following line: >> sslContext.createSSLEngine().setEnabledCipherSuites(_cipherSuites); >> While this appears to do what I need, it doesn't appear to really >> affect >> anything. I'm not sure where the new SSLEngine is used. The >> SSLServerSocketFactory is established in the same if block, but >> nothing >> new is set there. >> >> 2) there is some commented code below that method that looks like it >> was >> setting protocols - pretty close to ciphers. I added the following >> just >> before the return stmt: >> sslServerSocket.setEnabledCipherSuites( _cipherSuites ); >> And now I see a difference with THCSSLCheck. >> >> Scott, I haven't looked any further than JsseSSLFactory and Port, so I >> don't know if this was supposed to be handled somewhere else. And I'm >> not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I >> think we're in the minority running JSSE, but it works well enough >> for us. >> >> We upgraded to 3.1.6 because this was reported as fixed on this >> version, >> but obviously this isn't. Maybe there might be confusion with the >> https.cipherSuites system property/java-args usage versus the socket >> cipher suites - which would be my bad for not asking for the right >> thing. If I understand the https.cipherSuites properly (now), that is >> when you run as a client versus the server. To set server ciphers you >> need to interact with the API directly - like the >> SSLServerSocketFactory >> does. >> >> This may be why 3431 was opened. >> >> Is this a reasonable fix if we were to run 3.1.6mine? Has this been >> fixed in newer revisions? Are there others running JSSE with an >> interest >> in limiting the cipher suites and possibly the protocols? >> >> + jay >> >> >> >> _______________________________________________ >> resin-interest mailing list >> resin-interest@caucho.com >> http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > _______________________________________________ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest _______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
