point of confusion Eric Rescorla specifically cites SHA384 in his cipher examples for TLS 1.2 Update
http://www.ietf.org/rfc/rfc5246.txt http://www.ietf.org/proceedings/70/slides/tls-0.pdf Kuat Eshengazin used bltest as a test harness for SHA384 bltest -R -m prf_sha384 -k tests/prf_sha384/key0 -t tests/prf_sha384/seed0 -h -g 148 -x https://bugzilla.mozilla.org/show_bug.cgi?id=480514 Is this incorrect? Martin ______________________________________________ Please do not alter or disrupt this transmission..Thank You > Date: Thu, 22 Aug 2013 14:53:55 +0100 > Subject: Re: Tomcat 7 / Java 7 with TLS 1.2 algorithms > From: aterrest...@gmail.com > To: users@tomcat.apache.org > > According to RFC 5246 Appendix C (TLS 1.2), there is no SHA384. See : > http://www.ietf.org/rfc/rfc5246.txt > > The JSSE Reference Guide also doesn't talk about this SHA384 as an > implementation requirement. See : > http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl > > This means you have a problem with SHA256 only. Maybe it's easier to > test on client-side, with one of the following ciphers (that you find > on the same Reference Guide ) for example : > > TLS_DH_RSA_WITH_AES_256_CBC_SHA256 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 > > Let me know if this works, or I will try to test by myself with my own client. > > > > 2013/8/22 Dennis Sosnoski <d...@sosnoski.com>: > > I've already done that, though as far as I can see that doesn't effect the > > digest algorithms (only the encryption options). > > > > - Dennis > > > > > > On 08/23/2013 12:24 AM, Aurélien Terrestris wrote: > >> > >> Hello > >> > >> I suppose you need to run your JVM with the unrestricted policy files (on > >> b= > >> oth client and server sides). You have to download them from Oracle > >> website= > >> for your java version, and replace the old. > >> > >> These files are : > >> local_policy.jar > >> US_export_policy.jar > >> > >> Regards > >> > >> 2013/8/22 <d...@sosnoski.com>: > >>> > >>> Tomcat 7.0.40 seems to work well with TLS 1.2, forced by using a > >>> sslEnabledProtocols="TLSv1.2" attribute on the <Connector>. But I haven't > >>> been able to make it work with any of the SHA256/384 algorithms - they > >>> always show up in the "Ignoring unsupported cipher suite" list. I get the > >>> same thing happening when I try to use them from client code, so I know > >>> it's > >>> not a Tomcat issue, but I'm hoping someone knows a workaround. > >>> > >>> Any suggestions? > >>> > >>> Thanks, > >>> > >>> - Dennis > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >