-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
This isn't Tomcat-related, but many folks on this list have this kind of experience, so I'm asking in case anyone knows. I'd like to make an HTTPS connection to a server and, if I'm using non-ephemeral DH key exchange, I'd like to know what the parameters are for that connection. Actually, I don't really care if it's ephemeral or not. What I'm looking for is the ability to make a connection and then warn if the connection is using "weak" DH parameters. Is that something I can check at connection-time? Or is the set of DH parameters (or, more specifically, the *length* of those parameters, in bits) defined by the cipher suite itself? For example, the Qualys community thread has an illustration of the cipher suites that SSLLabs considers "weak" (well, everyone considers them weak... they just have a public tool which complains about them): https://community.qualys.com/thread/14821 They specifically mention e.g. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 which is cipher suite 0x9f and mention the DH parameters. Are those parameters' parameters baked-into the cipher suite (meaning they are *always* 1024-bit) or is this a configuration of the server that makes those cipher suites weak due to the specific DH parameter choice? In either case, I'd like to be able to sniff that information from the connection if at all possible. Does anyone know if this can be done, and how? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXxwm7AAoJEBzwKT+lPKRYQkcQAIP4N1HE9ImfYz2bnIq0YOzl vNmiatTlKE0PvYVOa1efCnjEho3JgJUp0LwB+OZXFt22mbQu5SOwnKjGx2TfZi4g Efs6EQ56ya25AmkUDEtNDgTi1jrP7rbHMLuGpK7yU1amURUwrZs7/f9s52d+WSgm /QPQoJsgv5cZEqopRBubCrcr+QOUgXYPVTJV1XPLzfKMTpDLTg8Y3HbjGuauQ6Q0 KUmdc726TQPqY7GB/etRO+2oBGS9JnSsb8yMf9mf/UbTJV753BnMdTrQ7fnh4omJ /widG9TBWTMpBLmQG8hW9D5qwyRedadfhXB+S3jEKEfa84DxBABHi39O2KBPaQQH 6jgjp/64jrlai4EFVpOjFoyStV2yXVPODCqcW4dZ1BO+01FyXIDphe6F1zULelKa LNhtxd0m36BqEBr2ytKtcQ1BiMPEUJukB16qBxRG5PStZh2JqK0kvs7KxFf6vcqK H91wY51/H0zMbrq1yccQhR6HzmO6OHVHTKMnc1IILVizJX/T1JjrktNbyp9a+ahH pXsSbTQU12IeHlash3ZYbn0czK0nBzJ6dI+/+JoA0HIYQY4xpt7XKiBL0xbPZGeP Ryi6ICkUGHRlTj1H1tAKAcmYDyosKwYM1peEY/lIc3d07PTCE15BobzZopPwfqwA 8PTkRy//IlSN5VEltU8E =0EqP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
