Please refer to: (which is a reopen of)

We're using Resin Pro 3.1.6 and trying to limit the cipher suites for 
JSSE. I couldn't find the documentation, but through trial and error was 
able to discover that http stanza allows this syntax for setting ciphers...

<host port="443" host="">

But running THCSSLCheck didn't show any change to the ciphers.

I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the 
following changes...

1) in the public QServerSocket create(InetAddress host, int port) 
method, there is a check for _cipherSuites != null. That if stmt 
includes the following line:
While this appears to do what I need, it doesn't appear to really affect 
anything. I'm not sure where the new SSLEngine is used. The 
SSLServerSocketFactory is established in the same if block, but nothing 
new is set there.

2) there is some commented code below that method that looks like it was 
setting protocols - pretty close to ciphers. I added the following just 
before the return stmt:
sslServerSocket.setEnabledCipherSuites( _cipherSuites );
And now I see a difference with THCSSLCheck.

Scott, I haven't looked any further than JsseSSLFactory and Port, so I 
don't know if this was supposed to be handled somewhere else. And I'm 
not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I 
think we're in the minority running JSSE, but it works well enough for us.

We upgraded to 3.1.6 because this was reported as fixed on this version, 
but obviously this isn't. Maybe there might be confusion with the 
https.cipherSuites system property/java-args usage versus the socket 
cipher suites - which would be my bad for not asking for the right 
thing. If I understand the https.cipherSuites properly (now), that is 
when you run as a client versus the server. To set server ciphers you 
need to interact with the API directly - like the SSLServerSocketFactory 

This may be why 3431 was opened.

Is this a reasonable fix if we were to run 3.1.6mine? Has this been 
fixed in newer revisions? Are there others running JSSE with an interest 
in limiting the cipher suites and possibly the protocols?

+ jay

resin-interest mailing list

Reply via email to