Thanks, Rachana. I modified the <Connector> element in my tomcat server.xml configuration file and added an encryption="true" attribute. However, with debug logging turned on for org.globus.gsi.gssapi.GlobusGSSContextImpl, in some cases (possibly when a service is being invoked anonymously), I still see log messages which say "encryption alg: NULL".
My own cursory examination of the cog-jglobus 1.4 code indicated that cipher configuration is performed by the "private void init(int how)" method of org.globus.gsi.gssapi.GlobusGSSContextImpl. That code always appends a NULL cipher to the list of cipher suites, and doesn't offer any cipher configuration hooks. It might be possible to configure the default cipher suites for PureTLS SSLPolicyInt through some other mechanism, but I didn't see a way to disable the NULL cipher without modifying that code. A configuration option that offers fine-grained control of cipher usage would be helpful, but it leaves the end user with the task of determining which specific ciphers support strong encryption. For example, the names of default cipher suites for SSLPolicyInt are: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA Of these, I suspect the ciphers with names containing "3DES" or "128" would support "strong" encryption and the ciphers with names containing simply "DES" (as opposed to "3DES") would support only "weak" encryption. However, I'd need to do some verification and testing to confirm that. In light of that, I think it would be helpful if Java WS Core could also offer a "strong encryption only" (or maybe "encryption level") configuration option, as a simple mechanism to disable the use of "weak" and NULL ciphers. Maybe the globus_wsrf_core server-config.xml file would be an appropriate place for encryption and cipher configuration parameters (?). Best regards, Joel -----Original Message----- From: Rachana Ananthakrishnan [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 3:28 PM To: Joel Schneider; [email protected] Subject: RE: [gt-user] configuring cipher usage (under Tomcat) Joel, I reviewed the CoG code and don't see any way of configuring a list of allowed ciphers. On the server, in the Connector, if you added the attribute "encryption" and set it to true, none of the null ciphers should be used. Similarly on the client, enabling encryption disables all the null ciphers. We'll modify the code to reuse the tomcat cipher configuration and add a hook for non-tomcat scenarios. Rachana > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joel Schneider > Sent: Monday, September 15, 2008 8:55 PM > To: [email protected] > Subject: [gt-user] configuring cipher usage (under Tomcat) > > For an instance of Java WS Core (4.0.8) running under Tomcat > (5.5.26), I'm > told a security scan recently reported the following two > "vulnerabilities": > > - SSL Server Supports Weak Encryption > The SSL server supports weak encryption keys, which are defined as > encryption keys of less than 128 bits. > > - SSL Server Allows Cleartext Communication (NULL Cipher Support) > The host is running an SSL server that supports the NULL cipher. > > This system currently utilizes only the GSITransport > authentication method, > part of which is implemented by a HTTPSConnector Connector > and HTTPSValve55 > Valve configured in Tomcat's server.xml file, as documented by the > "Deploying into Tomcat" section of the administrator's guide. > > If possible, I would like to alleviate any security worries > related to this by finding answers to questions such as the following. > > - Should we be concerned about these two "vulnerabilities"? Why, > or why not? > > - Is it possible to configure the ciphers accepted by GSI (and > Tomcat), to reject the use of "weak" ciphers? Documentation for > the <Connector> element in Tomcat's server.xml file mentions a > "ciphers" attribute, but I'm uncertain whether GSI's cipher usage > can/should be configured there. > > - Can use of the NULL cipher be disabled at the server level? What > consequences would that have? > > Best regards, > Joel >
