Nice!
On 2022-11-17, 6:23 AM, "Frank Crow" wrote:
CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you can confirm the sender and know the
content is safe.
Hey Lucas,
I tried that on a development VM this morning a
Hey Lucas,
I tried that on a development VM this morning and that (the namedGroups)
worked perfectly! For my requirements, I only need FIPS-approved and
384-bit or better, so something as simple as:
export ACTIVEMQ_OPTS='-Djdk.tls.namedGroups=secp384r1'
Covers the requirement. Reading around
Hey Lucas,
I'll definitely give that a try. Thanks!
-Frank
On Wed, Nov 16, 2022 at 12:14 PM Tetreault, Lucas
wrote:
> Hey Frank,
>
> There are loads of configuration options available, e.g.:
> https://www.java.com/en/configure_crypto.html
>
> You should be able to enable only specific curve
Hey Frank,
There are loads of configuration options available, e.g.:
https://www.java.com/en/configure_crypto.html
You should be able to enable only specific curves
(https://www.java.com/en/configure_crypto.html#DisablenonNIST) using something
like:
export ACTIVEMQ_OPTS='-Djdk.tls.namedGro
Do you have a clear idea of what you would change if you forked ActiveMQ
"Classic"? If so, you could send that change as a PR, and it could
potentially be incorporated into the next release. Given what you've
observed regarding Java's SSLServerSocket and SSLParameters it seems like
the JDK doesn't
Yeah, I'm pretty familiar with the javax.net.ssl package, related system
properties, security providers and their configurations. I'm also
familiar with other middleware products that offer a specific configuration
item for elliptic curves (e.g., PostgreSQL, OpenSSL, etc.). I'm fairly
confident
The broker delegates all this work to the JVM in the first place so I think
you're more likely to find what you're looking for in the JVM directly.
Even the value for the "transport.enabledCipherSuites" parameter is passed
through to the underlying SSL implementation provided by the JVM.
Have you
No because, the ability to specify cipher suites does not include any way
to specify the specific type of elliptic curve.
At the moment, the configuration that is in place is using the
ECDHE-RSA-AES256-GCM-SHA384 cipher.
The ECDHE key exchange is apparently using P-256 by default. I need it to
Did you try using the "transport.enabledCipherSuites" parameter mentioned
here [1]?
Justin
[1] https://activemq.apache.org/ssl-transport-reference
On Tue, Nov 15, 2022 at 2:16 PM Frank Crow wrote:
> Hello all,
>
> Does anyone know if it is possible to specify which elliptic curve will be
> us
Hello all,
Does anyone know if it is possible to specify which elliptic curve will be
used by the broker for ECDHE key exchanges? Currently I have TLS enabled
and I'm seeing that it is using a 256-bit (P-256) elliptic curve. I have
requirements for 384-bit elliptic curves or better.
Is there s
10 matches
Mail list logo
