Hey Lucas, I'll definitely give that a try. Thanks!
-Frank On Wed, Nov 16, 2022 at 12:14 PM Tetreault, Lucas <tetlu...@amazon.com.invalid> wrote: > Hey Frank, > > There are loads of configuration options available, e.g.: > https://www.java.com/en/configure_crypto.html > > You should be able to enable only specific curves ( > https://www.java.com/en/configure_crypto.html#DisablenonNIST) using > something like: > > export ACTIVEMQ_OPTS='-Djdk.tls.namedGroups="secp256r1, secp384r1, > secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, > sect571r1, secp256k1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, > ffdhe8192"' > > Hopefully that helps! > > Lucas > > On 2022-11-16, 9:31 AM, "Justin Bertram" <jbert...@apache.org> wrote: > > CAUTION: This email originated from outside of the organization. Do > not click links or open attachments unless you can confirm the sender and > know the content is safe. > > > > Do you have a clear idea of what you would change if you forked > ActiveMQ > "Classic"? If so, you could send that change as a PR, and it could > potentially be incorporated into the next release. Given what you've > observed regarding Java's SSLServerSocket and SSLParameters it seems > like > the JDK doesn't provide applications with any options here. It's not > clear > what the broker might do to support your use-case. > > If BouncyCastle provides the configuration you need can you not > integrate > BouncyCastle with the broker's JVM as the security provider? > > If using ActiveMQ Artemis is an option for you it provides integration > with > OpenSSL so if you can configure what you need in OpenSSL then that > also may > be a possibility for you. > > > Justin > > On Wed, Nov 16, 2022 at 9:42 AM Frank Crow <fjcrow2...@gmail.com> > wrote: > > > Yeah, I'm pretty familiar with the javax.net.ssl package, related > system > > properties, security providers and their configurations. I'm also > > familiar with other middleware products that offer a specific > configuration > > item for elliptic curves (e.g., PostgreSQL, OpenSSL, etc.). I'm > fairly > > confident that, unless I fork ActiveMQ and implement that myself, > there is > > no external configuration, property or even bean that I could add to > make > > it happen. > > > > Looking at the ActiveMQ "SSL Transport Reference" we see that such > > *transport > > *options are passed to SSLServerSocket which, if you read through the > > Javadoc, is really handled by the SSLParameters and even that has > zero > > provision for ECDH parameters. Many products that support very > granular > > encryption configuration do so via 3rd party libraries such as > > BouncyCastle. > > > > So, I think that, unless anyone knows differently, ActiveMQ does not > > support what I'm looking for by any means. > > > > Thanks, > > Frank > > > > > > On Tue, Nov 15, 2022 at 7:07 PM Justin Bertram <jbert...@apache.org> > > wrote: > > > > > The broker delegates all this work to the JVM in the first place > so I > > think > > > you're more likely to find what you're looking for in the JVM > directly. > > > Even the value for the "transport.enabledCipherSuites" parameter is > > passed > > > through to the underlying SSL implementation provided by the JVM. > > > > > > Have you investigated this from the JVM's perspective? > > > > > > > > > Justin > > > > > > On Tue, Nov 15, 2022 at 3:33 PM Frank Crow <fjcrow2...@gmail.com> > wrote: > > > > > > > No because, the ability to specify cipher suites does not > include any > > way > > > > to specify the specific type of elliptic curve. > > > > > > > > At the moment, the configuration that is in place is using the > > > > ECDHE-RSA-AES256-GCM-SHA384 cipher. > > > > > > > > The ECDHE key exchange is apparently using P-256 by default. I > need > > it > > > to > > > > be stronger or I need to document that I am unable to change that > > > > configuration item. > > > > > > > > > > > > Thanks, > > > > Frank > > > > > > > > > > > > On Tue, Nov 15, 2022 at 4:21 PM Justin Bertram < > jbert...@apache.org> > > > > wrote: > > > > > > > > > Did you try using the "transport.enabledCipherSuites" parameter > > > mentioned > > > > > here [1]? > > > > > > > > > > > > > > > Justin > > > > > > > > > > [1] https://activemq.apache.org/ssl-transport-reference > > > > > > > > > > On Tue, Nov 15, 2022 at 2:16 PM Frank Crow < > fjcrow2...@gmail.com> > > > wrote: > > > > > > > > > > > Hello all, > > > > > > > > > > > > Does anyone know if it is possible to specify which elliptic > curve > > > will > > > > > be > > > > > > used by the broker for ECDHE key exchanges? Currently I > have TLS > > > > enabled > > > > > > and I'm seeing that it is using a 256-bit (P-256) elliptic > curve. > > I > > > > > have > > > > > > requirements for 384-bit elliptic curves or better. > > > > > > > > > > > > Is there some transport.option that I can use or is there > some > > other > > > > > method > > > > > > to configure the elliptic curve that ActiveMQ uses? > > > > > > > > > > > > > > > > > > Thanks, > > > > > > -- > > > > > > Frank > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Frank > > > > > > > > > > > > > -- > > Frank > > > > -- Frank
