Thanks for adding the notes to issue 3431. I was hoping that Scott and
Emil could chime in where I think the changes need to happen. We're
wanting to implement 3.1.6 (up to 3.1.9) in our production environments,
and this change is key to that development.
If this is a logical place to start, we may implement 3.1.6x until
3.1.10 is available. ;)
Have you guys had a chance to take a quick look, yet?
Scott Ferguson wrote:
> On May 1, 2009, at 4:33 PM, Jay Ballinger wrote:
>> Please refer to:
>> http://bugs.caucho.com/view.php?id=3431 (which is a reopen of)
> I've added this information as a note to 3431. Now that we've
> released 4.0.0, we can start clearing out the old, stalled bug reports.
> -- Scott
>> We're using Resin Pro 3.1.6 and trying to limit the cipher suites for
>> JSSE. I couldn't find the documentation, but through trial and error
>> able to discover that http stanza allows this syntax for setting
>> <host port="443" host="some.host">
>> But running THCSSLCheck didn't show any change to the ciphers.
>> I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the
>> following changes...
>> 1) in the public QServerSocket create(InetAddress host, int port)
>> method, there is a check for _cipherSuites != null. That if stmt
>> includes the following line:
>> While this appears to do what I need, it doesn't appear to really
>> anything. I'm not sure where the new SSLEngine is used. The
>> SSLServerSocketFactory is established in the same if block, but
>> new is set there.
>> 2) there is some commented code below that method that looks like it
>> setting protocols - pretty close to ciphers. I added the following
>> before the return stmt:
>> sslServerSocket.setEnabledCipherSuites( _cipherSuites );
>> And now I see a difference with THCSSLCheck.
>> Scott, I haven't looked any further than JsseSSLFactory and Port, so I
>> don't know if this was supposed to be handled somewhere else. And I'm
>> not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I
>> think we're in the minority running JSSE, but it works well enough
>> for us.
>> We upgraded to 3.1.6 because this was reported as fixed on this
>> but obviously this isn't. Maybe there might be confusion with the
>> https.cipherSuites system property/java-args usage versus the socket
>> cipher suites - which would be my bad for not asking for the right
>> thing. If I understand the https.cipherSuites properly (now), that is
>> when you run as a client versus the server. To set server ciphers you
>> need to interact with the API directly - like the
>> This may be why 3431 was opened.
>> Is this a reasonable fix if we were to run 3.1.6mine? Has this been
>> fixed in newer revisions? Are there others running JSSE with an
>> in limiting the cipher suites and possibly the protocols?
>> + jay
>> resin-interest mailing list
> resin-interest mailing list
resin-interest mailing list