Most Current Cipher List for 4D
I have a government client using our 4D OEM Web Server application. Their security team would like to customize the cipher list used by 4D. We provide the ability for clients to do that using our application. They however have asked for the following information. 1. A complete list of the cipher suites the application presently supports. 2. Mapping of cipher suites supported to a known naming convention for those cipher suites (eg – Windows, Apache, etc) I found tech note 10-07 by Timothy Penner and it would appear to answer the questions but it is for 4D v11 and we are currently using 4D v15 r5. Does anyone know? 1) if the list of Ciphers provided in tech note 10-07 is still the most current? If not, where can find the most current list? 2) which known naming convention is used? Thank you in advance. Mike McCall ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: Most Current Cipher List for 4D
I think there is a cipher list option with Get Database Parameter. And I think 4D uses OpenSSL and that 15.3 (not R that you are running) updates this (to 1.0.x "J" or some such). Sorry to be vague and unable to lookup right now but maybe this give a few ideas of where to start... > On Dec 5, 2016, at 11:43 AM, Michael McCall > wrote: > > I have a government client using our 4D OEM Web Server application. Their > security team would like to customize the cipher list used by 4D. We provide > the ability for clients to do that using our application. They however have > asked for the following information. > > 1. A complete list of the cipher suites the application presently > supports. > 2. Mapping of cipher suites supported to a known naming convention for > those cipher suites (eg – Windows, Apache, etc) > > I found tech note 10-07 by Timothy Penner and it would appear to answer the > questions but it is for 4D v11 and we are currently using 4D v15 r5. > > Does anyone know? > ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: Most Current Cipher List for 4D
you just need to know which version of OpenSSL is used in which version of 4D. 1.0.2h in v16 1.0.2j in v15 1.0.1p in v14 1.0.1l in v13 > 2016/12/06 4:43、Michael McCall のメール: > > Does anyone know? > > 1) if the list of Ciphers provided in tech note 10-07 is still the most > current? If not, where can find the most current list? > 2) which known naming convention is used? 宮古 啓介 セールス・エンジニア 株式会社フォーディー・ジャパン 〒150-0043 東京都渋谷区道玄坂1-10-2 渋谷THビル6F Tel: 03-6427-8441 Fax: 03-6427-8449 keisuke.miy...@4d.com www.4D.com/JP ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D
Just to clarify, was that a typo in the OpenSSL versions. You had v15 as 1.0.2.j and v16 as 1.0.2h. Should those flipped? I also found the cipher page you mentioned on the OpenSSL site at: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html Thanks again, Mike McCall -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Keisuke Miyako Sent: Monday, December 5, 2016 12:02 PM To: 4D iNug Technical <4d_tech@lists.4d.com> Subject: Re: Most Current Cipher List for 4D you just need to know which version of OpenSSL is used in which version of 4D. 1.0.2h in v16 1.0.2j in v15 1.0.1p in v14 1.0.1l in v13 > 2016/12/06 4:43、Michael McCall のメール: > > Does anyone know? > > 1) if the list of Ciphers provided in tech note 10-07 is still the most > current? If not, where can find the most current list? > 2) which known naming convention is used? ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D
Hi Mike, You can actually manually check the version of OpenSSL used in 4D yourself: http://kb.4d.com/assetid=76175 Checking myself Keisuke Miyako's post appears to be accurate. Hope this helps. Best Regards, -Tai B. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D
Thanks Tai, It just seemed odd that v16 would appear to use an older version of OpenSSL than v15. Does anyone by chance know why that is? I've done a quick google search and don't see any clear explanation. 1.0.2h in v16 1.0.2j in v15 1.0.1p in v14 1.0.1l in v13 Thanks, Mike -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Tai Bui Sent: Monday, December 5, 2016 3:34 PM To: 4D iNug Technical <4d_tech@lists.4d.com> Subject: RE: Most Current Cipher List for 4D Hi Mike, You can actually manually check the version of OpenSSL used in 4D yourself: http://kb.4d.com/assetid=76175 Checking myself Keisuke Miyako's post appears to be accurate. Hope this helps. Best Regards, -Tai B. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D
Hi, I'm not 100% certain, but I believe that it was due to the timings when building them. Actually v15.3 is 1.0.2j, while the v15.2 I have at hand is 1.0.1p. 15.3 was probably and built when 1.0.2j was available while 16 Beta was probably built with the 1.0.2h. Makes sense in terms of timings, but this is all my assumption. Best Regards, -Tai B. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D and questions regarding OpenSSL versions being used
Thanks Tai, I took your suggestion and checked the version of the ssleay32.dll which came with v15 r5 and it only uses 1.0.1p. According to the list below that would suggest that it is only using the version which v14 used instead of the one which v15 used. That doesn't appear to make sense to me nor does it seem to the build timing seem to explain this anomaly. Any other possible explanations. 1.0.2h in v16 1.0.2j in v15 1.0.1p in v14 1.0.1l in v13 -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Tai Bui Sent: Monday, December 5, 2016 3:56 PM To: 4D iNug Technical <4d_tech@lists.4d.com> Subject: RE: Most Current Cipher List for 4D Hi, I'm not 100% certain, but I believe that it was due to the timings when building them. Actually v15.3 is 1.0.2j, while the v15.2 I have at hand is 1.0.1p. 15.3 was probably and built when 1.0.2j was available while 16 Beta was probably built with the 1.0.2h. Makes sense in terms of timings, but this is all my assumption. Best Regards, -Tai B. ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
Re: Most Current Cipher List for 4D and questions regarding OpenSSL versions being used
it is the timing - 15.3 is from 11/17/16 - OpenSSL is from 9/26/16 - R5 is from 9/14/16 > On Dec 5, 2016, at 4:10 PM, Michael McCall wrote: > > Thanks Tai, > > I took your suggestion and checked the version of the ssleay32.dll which came > with v15 r5 and it only uses 1.0.1p. According to the list below that would > suggest that it is only using the version which v14 used instead of the one > which v15 used. > > That doesn't appear to make sense to me nor does it seem to the build timing > seem to explain this anomaly. > ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D and questions regarding OpenSSL versions being used
Mike, v15.2 used OpenSSL 1.0.1p v15.3 was updated to OpenSSL 1.0.2j as described in the release notes: http://download.4d.com/Documents/Products_Documentation/LastVersions/Line_15/VIntl/4D_v15_3_ReleaseNotes_US.pdf For a cipher list, I like to check https://cipherli.st/ * then click on the link for "Do you need to (or are forced to) support old / legacy software like IE < 9, Android < 2.2 or Java < 6? Yes, give me a ciphersuite that works with legacy / old software. " * my browser (Chrome 54) doesn’t work with the default cipher list found on cipherli.st which is why I use the legacy link to get more ciphers. The legacy list provided right now on this site is: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" The only other change I did just now was remove "DES-CBC3-SHA" from the list because https://ssldecoder.org/ complained about it; which then resulted in "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-"+"SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:A"+"ES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" Hope that helps, Tim PENNER ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
RE: Most Current Cipher List for 4D and questions regarding OpenSSL versions being used
Thanks Tim, I appreciate the additional information and the original Tech Note you wrote. It was very helpful. Mike -Original Message- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Timothy Penner Sent: Monday, December 5, 2016 4:35 PM To: 4D iNug Technical <4d_tech@lists.4d.com> Subject: RE: Most Current Cipher List for 4D and questions regarding OpenSSL versions being used Mike, v15.2 used OpenSSL 1.0.1p v15.3 was updated to OpenSSL 1.0.2j as described in the release notes: http://download.4d.com/Documents/Products_Documentation/LastVersions/Line_15/VIntl/4D_v15_3_ReleaseNotes_US.pdf For a cipher list, I like to check https://cipherli.st/ * then click on the link for "Do you need to (or are forced to) support old / legacy software like IE < 9, Android < 2.2 or Java < 6? Yes, give me a ciphersuite that works with legacy / old software. " * my browser (Chrome 54) doesn’t work with the default cipher list found on cipherli.st which is why I use the legacy link to get more ciphers. The legacy list provided right now on this site is: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" The only other change I did just now was remove "DES-CBC3-SHA" from the list because https://ssldecoder.org/ complained about it; which then resulted in "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-"+"SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:A"+"ES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" Hope that helps, Tim PENNER ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ** ** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **
