Re: [jetty-users] keystore

Joakim Erdfelt Wed, 14 Mar 2018 10:04:43 -0700

Also, read and understand the linked to issue at the IBM side for TLS (from
the prior message)


https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

The IBM JVM does not apparently follow the OpenJDK standard naming of
things (which dozens of other alternate JVMs do), that article tells you
how to correct the startup of your IBM JVM to address that as well.



Joakim Erdfelt / joa...@webtide.com

On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <
sbier...@jambo-software.com> wrote:

> Those are ciphers for the SSL protocol instead of TLS. You do not want to
> use those...
>
>
>
> Sent from my Samsung Galaxy smartphone.
>
> -------- Original message --------
> From: Lothar Kimmeringer <j...@kimmeringer.de>
> Date: 3/14/18 17:36 (GMT+01:00)
> To: jetty-users@eclipse.org
> Subject: Re: [jetty-users] keystore
>
> Hi,
>
> Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:
>
> > * The IBM JVM is not sane, look into its cipher suites and protocols.
> >
> > A quick comparison shows that it has half the cipher suites that oracle
> jvm or openjdk has.
>
> Not necessarily. At least the JVM for i Series has more or less the same
> ciphers but the textual representation is not starting with TLS_... but
> SSL_...
> so filters based on the textual representation will filter out most
> of them (in my case where I found that out, all ciphers were filtered).
>
> Here as an example -Djavax.net.debug=ssl:handshake output for a
> ClientHello
> sent by an AS/400:
>
> Cipher Suites: [
>   TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
>   SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>   SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>   SSL_RSA_WITH_AES_256_CBC_SHA256,
>   SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
>   SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
>   SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
>   SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
>   SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>   SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
>   SSL_RSA_WITH_AES_256_CBC_SHA,
>   SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
>   SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
>   SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
>   SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
>   SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
>   SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
>   SSL_RSA_WITH_AES_128_CBC_SHA256,
>   SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
>   SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
>   SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
>   SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
>   SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>   SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
>   SSL_RSA_WITH_AES_128_CBC_SHA,
>   SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
>   SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
>   SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
>   SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
>   SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>   SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>   SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>   SSL_RSA_WITH_AES_256_GCM_SHA384,
>   SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
>   SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
>   SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
>   SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
>   SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
>   SSL_RSA_WITH_AES_128_GCM_SHA256,
>   SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
>   SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
>   SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
>   SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
>
>
> Cheers, Lothar
> _______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Re: [jetty-users] keystore

Reply via email to