You may need to install the JCEunlimited strength juridiction policy file from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html in order to have Java support AES 256.
Le 09/09/14 15:53, Victor Medina a écrit : > root@ldap001:/home/administrador# openssl s_client -connect localhost:10636 > CONNECTED(00000003) > depth=0 C = US, O = ASF, OU = Directory, CN = ldap001.test.local > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = US, O = ASF, OU = Directory, CN = ldap001.test.local > verify error:num=27:certificate not trusted > verify return:1 > depth=0 C = US, O = ASF, OU = Directory, CN = ldap001.test.local > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/C=US/O=ASF/OU=Directory/CN=ldap001.test.local > i:/C=US/O=ASF/OU=Directory/CN=ApacheDS > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIBfTCCAScCBgFIVuerVjANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJVUzEM > MAoGA1UEChMDQVNGMRIwEAYDVQQLEwlEaXJlY3RvcnkxETAPBgNVBAMTCEFwYWNo > ZURTMB4XDTE0MDkwODIwMTQ1NloXDTE1MDkwODIwMTQ1NlowTDELMAkGA1UEBhMC > VVMxDDAKBgNVBAoTA0FTRjESMBAGA1UECxMJRGlyZWN0b3J5MRswGQYDVQQDExJs > ZGFwMDAxLnRlc3QubG9jYWwwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApzet+vAT > GSioE1Gqf6CDdHlZYu/wQjS0Go/43LCZxfZ48W6jnn4Kl1ZAkCLlZF1mTKD1bZpn > dtlJmnJw8v3X4wIDAQABMA0GCSqGSIb3DQEBBQUAA0EAEZKUIUbQ7SxqO2GrFCwK > AUqQUu1L3TiSo8anFIx9ADG+H0Ac8x+s4hTIljddPYdE0sC12+z+y58a6eNdL5fO > OA== > -----END CERTIFICATE----- > subject=/C=US/O=ASF/OU=Directory/CN=ldap001.test.local > issuer=/C=US/O=ASF/OU=Directory/CN=ApacheDS > --- > No client certificate CA names sent > --- > SSL handshake has read 837 bytes and written 567 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 > Server public key is 512 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-SHA384 > Session-ID: > 540F05BAF680AD3AF54796DA292A8EDCCADDE28677AE541EA4772A81DBA04B08 > Session-ID-ctx: > Master-Key: > 981A10E4F208E3F003B91C9F5E67230DCB64A50876E680F0A04FD597622B6011820083B6F7F0D7A64D8FC69CFEFC3205 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1410270650 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > --- > > It seems very strong to me, I was looking if it supported GCM, which seems > faster. > > 2014-09-09 9:10 GMT-04:30 Victor Medina <[email protected]>: > >> so... >> >> where can i find a list of valdi values for TLS Cipher suite? >> ads-enabledCipherSuites >> >> 2014-09-09 8:58 GMT-04:30 Emmanuel Lécharny <[email protected]>: >> >> Le 09/09/14 14:05, Kiran Ayyagari a écrit : >>>> On Tue, Sep 9, 2014 at 5:35 PM, Victor Medina < >>> [email protected]> >>>> wrote: >>>> >>>>> But I believe it uses bouncy castle right? >>>>> >>>>> yes >>> Not anymore for that purpose. We only use the X509 utiliy classes from >>> BC. Everything else is handled by the default Java security classes. >>> >>> >> >> -- >> >> Víctor E. Medina M. >> Software >> +58424 291 4561 >> BB #79A8AFA2 /@VMCibersys >> >> >
