Marvin, thanks for confirming! Does this warrant a note in the wiki under our LDAP section?
Cheers, Scott On Fri, Aug 20, 2010 at 1:26 PM, Marvin Addison <[email protected]>wrote: > > Check down under "Strong Versus Unlimited Strength." There's some issues > > with import controls. Note, the document is referring specifically to JDK > > 1.4, so I don't know if its the same for newer versions. > > It applies to the 1.5 JRE and 1.6 JDK I just checked. For reference, > the following ciphers are supported by default: > > // Some countries have import limits on crypto strength. This policy > file is worldwide importable. > grant { > permission javax.crypto.CryptoPermission "DES", 64; > permission javax.crypto.CryptoPermission "DESede", *; > permission javax.crypto.CryptoPermission "RC2", 128, > "javax.crypto.spec.RC2ParameterSpec", > 128; > permission javax.crypto.CryptoPermission "RC4", 128; > permission javax.crypto.CryptoPermission "RC5", 128, > "javax.crypto.spec.RC5ParameterSpec", *, 12, *; > permission javax.crypto.CryptoPermission "RSA", *; > permission javax.crypto.CryptoPermission *, 128; > }; > > For the record, the first thing we do when provisioning a new JVM is > to download the unlimited strength policy files and apply them in > place of the defaults. I'm so accustomed to having 256-bit ciphers > available that it never dawned on me that the problem the OP had could > be related to cipher bit length. Joel, you might consider upgrading > to 256-bit AES on your Java clients instead of downgrading OpenLDAP to > 128. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
