-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 8/31/16 12:45 PM, Christopher Schultz wrote: > All, > > This isn't Tomcat-related, but many folks on this list have this > kind of experience, so I'm asking in case anyone knows. > > I'd like to make an HTTPS connection to a server and, if I'm using > non-ephemeral DH key exchange, I'd like to know what the > parameters are for that connection. Actually, I don't really care > if it's ephemeral or not. > > What I'm looking for is the ability to make a connection and then > warn if the connection is using "weak" DH parameters. Is that > something I can check at connection-time? Or is the set of DH > parameters (or, more specifically, the *length* of those > parameters, in bits) defined by the cipher suite itself? > > For example, the Qualys community thread has an illustration of > the cipher suites that SSLLabs considers "weak" (well, everyone > considers them weak... they just have a public tool which complains > about them): https://community.qualys.com/thread/14821 > > They specifically mention e.g. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 > which is cipher suite 0x9f and mention the DH parameters. Are > those parameters' parameters baked-into the cipher suite (meaning > they are *always* 1024-bit) or is this a configuration of the > server that makes those cipher suites weak due to the specific DH > parameter choice? > > In either case, I'd like to be able to sniff that information from > the connection if at all possible. Does anyone know if this can be > done, and how? > > Thanks, -chris It seems that this isn't possible. Does anyone on the list have the karma required to file an enhancement request for the Java API? Or does everything need to be a darned JSR? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX4EicAAoJEBzwKT+lPKRYpjQP/1kQhh58iMXp8vTNnbiN+YYg fICg1Rdol4jCko5BGswNOIbelLAJEb/gt3h+dwE2bKtpyYEk7iRG1/r9UDALxdbk RX+H3Vmvy/eE7WPoWIJoLqcHbABtzqq+Hbp4F5YKCUYO9deGNt2OSaZtgAA0u5xd uvr2gWLEA+AH2bDg5aqe4yrg3laRQqqpshCCKpEl/uOCxvFizstvSH61jgu7miMx CdoHaJXIEJ+Qvgr/+4NXT+DaxiOQDPNJ/hf9rEpO1N5COeIP66N41sUNBI4JD1oW U1N3h5Hk+6THgIH8n9B9ZXfSHLXNO07+CalEmUKL5NDZJslf/rYln7/uHSbagGaN utPrMJoFAXuWpW3Q8ObAWtEEat2XjQFcYJfSbFMyEBLR5xmhxYshpnaZh/lMWOQc 4fidk/XzrSw0d646dnVRdlOY7mzRBwucD7Acv0FkQ+gnjRzLKBCmxeXBOKXbsS9H D6l09H9elMXyOo5lyIhC7x1hANx/MEb0sh/wCmduOVdN4LdepKoUWwCUDvIZwbLf LnifL+hBS5k5hWfQ5MA/TH6yPZwg/3k9yxMbxAz13fCAIQAy3O2o9GAzYsJJJ9Cy PQGgkAI7Qr/KfnO1RG4VCn/KuWrSc8ZLg3kEARZjvFb+dloB6R5v09LhlNheTdWO v0VmwdAW6omgsmqj/VH/ =YtxI -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
