http://security.stackexchange.com/questions/7440/what-ciphers-should-i-use-in-my-web-server-after-i-configure-my-ssl-certificate With a RSA key you can nominally use the "RSA" and "DHE_RSA" cipher suite. But if the server certificate has a Key Usage extension which does not include the "keyEncipherment" flag, then you are nominally limited to "DHE_RSA". With a DSA key you can use only a "DHE_DSS" cipher suite. With a Diffie-Hellman key, you can use only one of "DH_RSA" or "DH_DSS", depending on the issuing certificate authority key type. your witness
Martin ______________________________________________ > From: mgai...@hotmail.com > To: users@tomcat.apache.org > Subject: RE: Restricting ciphers > Date: Thu, 10 Jan 2013 22:35:05 -0500 > > > its a simple question what does ciphers parameter in Connector have anything > to do with the supported ciphers from the key itself the 2 are disconnected > please dont waste my time and anyone elses with insults when you are unable > to answer this simple question > Martin Gainty > ___________________________________________ When Free Speech and Discovery > are replaced by Confusion and Obfuscation its time to move > Date: Thu, 10 > Jan 2013 18:25:02 -0500 > > From: ch...@christopherschultz.net > > To: users@tomcat.apache.org > > Subject: Re: Restricting ciphers > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Martin, > > > > Honestly, I'm not sure why I'm feeding the troll at this point. Maybe > > I'm trying to atone for some horrible crime I can't remember. > > > > On 1/10/13 10:05 AM, Martin Gainty wrote: > > > terminology : > > > > Nobody was arguing about terminology. Next time, just refer to > > Wikipedia like everyone else. > > > > > All you don't know is whether those certificate & private key are > > > RSA or DSA algorithms > > > > It doesn't matter: you can use RSA (like everyone does) or DSA and > > that will only determine the type of key you have. The cipher can (and > > will, since SSL/TLS encryption is symmetric and not PK) use a > > different algorithm for encryption. > > > > > you see if it's an RSA or DSA key (along with the key size). > > > > Again, key size is only relevant for people who think that bigger is > > better. You can create a 16k key and it won't be much more secure than > > an 8k key. Stronger crypto, yes, but nobody tries to guess SSL keys: > > they use compression (e.g. CRIME) and other nasty tricks so they don't > > have to do the hard work of key-cracking. > > > > > cipherGroup is categorised by keysize within cipher-groups (usually > > > a 4digit number which is a power of 2 e.g. 1024 and 2048) > > > > Sorry, ciphers and keys are not interchangeable: keys usually have 1k, > > 2k, 4k, etc. bits in them while symmetric ciphers usually max out at > > 256-bit key sizes. Try running some of the commands you are grabbing > > off the web to see what I'm talking about. > > > > I've never heard the term "cipherGroup". > > > > > ECB, CBC and PCBC are the usual choices for the optional > > > ModeOfOperation parameter Determining the ALGO-CIPHER supported by > > > your key so we can see that public keys contain a algorithm-cipher > > > combination but how to determine the algo-cipher supported by your > > > key: > > > > Sorry, your key can support (essentially) arbitrary ciphers. Your key > > type has no bearing on whether or not ECB, CBC, etc. can be used. > > > > > keytool -list -v -keystore fubar.pfx -storetype PKCS12 Here is > > > output: Certificate fingerprints: MD5: SHA1: > > > Signature algorithm name: SHA1withRSA Providers (SUN, SunJCE, > > > SunJSSE,SunRsaSign, IBMJSSE, bcprov-jdkNN-MMM) Lets stick with > > > SunJSSE as our provider supported ciphers will be those ciphers > > > which match SHA1 with RSA from this list: > > > > Wrong again: the signature algorithm used to fingerprint your own key > > has no bearing on the message digests usable for your ciphers. > > > > > so what you are asking Tomcat Connector to do is > > > > > > 1)export contents of supplied keystoreFile key of keystoreType > > > PKCS12 > > > > > > 2)determine Signature algorithm name > > > > > > 3)aggregate cipherSuite by determining Signature specific > > > supported ciphers from Signature algorithm name from > > > http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html > > > > > > > > > > > 4)reference ciphers attribute from Tomcat <Connector > > > > > > 5)determine SignatureSpecificSupportedCiphers from 3) and > > > implement ONLY those ciphers which match exactly to the ciphers > > > listed in Tomcat Connector 5) > > > > None of the previous 5 items is accurate. > > > > > (i have not seen this currently implemented) > > > > That's because Tomcat does something else. Actually, JSSE does all the > > heavy-lifting: Tomcat just configures the TrustStore and a few other > > things and then lets JSSE take over. Or OpenSSL if you're using > > APR/native. > > > > Now, if you've had enough, kindly stop confusing people. > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with undefined - http://www.enigmail.net/ > > > > iEYEAREIAAYFAlDvTc4ACgkQ9CaO5/Lv0PC70gCgqL83yS3LxAqhS+eAFi1StwPU > > J5kAoMPWqUx/qnoB8gBla4gkRSWbpswO > > =W6U2 > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > >
