I found an interesting example of the inadverent problems that can be
caused by Geronimo's current usage of bouncycastle. The openejb SunOrb
codes specifies a list of supported cipher suites to be used with SSL
connections in the class SSLCipherSuiteDatabase. The supported list
includes the IDEA algorithms. The Sun default JCE implemenation does
not include IDEA, so this will not be used unless additional JCE
provides are installed which include IDEA support. So far, so good.
The IDEA code, even though listed as an option, will not get used
without explicit knowledge of the Gernonmo administrator.
However, the current console code uses the bouncycastle code to
implement its keystore. This usage is in a manner that requires the BC
provider code to be installed programmatically, which the console code
does. Unfortunately, once this is done, the IDEA algorithms are now
available for use for SSL connections as well. This server is now
potentially a royalty collection target by the IDEA patent holders,
since they can demonstrate usage by having a client connect with this
server using the IDEA ciphers. We might even want to consider allowing
these algorithms to be controlled by the server config rather than just
hard coding them in the class.
One way to fix this is just remove the IDEA algorithms from the
SSLCipherSuiteDatabase, so these will not be used for SSL connections.
Another potential solution (yet to be verified) is to use the BC APIs
that allow the default JCE provider to be used for encryption services
rather than defaulting to the BC provider.
Rick
- Re: IDEA block cipher inclusion via the "bouncy c... Rick McGuire
-
