Joel Schneider wrote: > My own cursory examination of the cog-jglobus 1.4 code indicated that > cipher configuration is performed by the "private void init(int how)" > method of org.globus.gsi.gssapi.GlobusGSSContextImpl.
I was able to disable the use of weak and NULL cipher suites by building a custom modified cog-jglobus.jar library, using a copy of the jglobus source code acquired via anonymous CVS. The attached patch file shows modifications I made to GlobusGSSContextImpl.java. After the new cog-jglobus.jar was deployed (to Tomcat, in my case), a security scan no longer reported the use of weak and NULL cipher suites, which indicated this modification did have the desired effect of disabling weak encryption. However, further testing revealed that, in some cases, client code that used The "old" cog-jglobus.jar was unable to connect with a service that used my "new" cog-jglobus.jar. Replacing the "old" cog-jglobus.jar on the client side with my "new" version resolved the connectivity problem. But this unexpected break in backward compatibility called for closer examination of the code. The GlobusGSSContextImpl.java code obtained from CVS always includes a NULL cipher suite in the SSL policy. I think this is questionable because, for example, a client might be able to force the use of a NULL cipher (i.e. unencrypted connection), even if the service is configured for privacy via GSITransport. The GlobusGSSContextImpl.java code from CVS has another questionable feature, in that, under some circumstances, the only cipher suite it allows is a NULL one. This would cause the connection to fail if the other side does not allow the NULL cipher suite (as in my "new" cog-jglobus.jar). The use of NULL cipher suites in GlobusGSSContextImpl.java seems very strange to me, especially with regard to the concept of privacy via GSITransport. Right now, I can't think of any reason I would ever want to use a NULL cipher suite on my secure web service. Am I missing something here? Could this be considered a bug (or bugs)? Other notes: - jglobus code was acquired via anonymous CVS, as illustrated on the COG JGlobus 1.2 page: http://dev.globus.org/wiki/CoG_JGlobus_1.2 - There was no CVS tag for globus_4_0_8, so I used the most recent code from the globus_4_0_branch, as of September 24, 2008 Best regards, Joel
jglobus-20080924-disable_weak_encryption.patch
Description: jglobus-20080924-disable_weak_encryption.patch
