Re: [Resin-interest] CipherSuites for Jsse in resin 3.1.6
On Jul 24, 2009, at 12:52 PM, Steffen Busch wrote: I second that. It would be really great if this and some other bugs reported against Resin 3.1.x could be addressed after the next 4.0.1 release. Many companies must run a stable and feature-complete application server in their mission critical environments and therefore can not get into the pleasurable situation to run on Resin 4.0.x with definitely nice new features and desired bug fixes :-( We're planning the 4.0.2 release cycle to be mostly about bug fixes (unless JavaEE-6 does something crazy with the spec drafts.) So we should get through most of the older bugs (including patches for 3.1.x) -- Scott Best regards, Steffen 2009/7/24 Dan Hoover On Wed, May 6, 2009 at 9:37 AM, Scott Ferguson wrote: On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: > Howdy, > > Please refer to: > > http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) > http://bugs.caucho.com/view.php?id=2360 I've added this information as a note to 3431. Now that we've released 4.0.0, we can start clearing out the old, stalled bug reports. -- Scott Are there any plans to address this in 3.1.x ? Thanks, Dan ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] CipherSuites for Jsse in resin 3.1.6
I second that. It would be really great if this and some other bugs reported against Resin 3.1.x could be addressed after the next 4.0.1 release. Many companies must run a stable and feature-complete application server in their mission critical environments and therefore can not get into the pleasurable situation to run on Resin 4.0.x with definitely nice new features and desired bug fixes :-( Best regards, Steffen 2009/7/24 Dan Hoover > > > On Wed, May 6, 2009 at 9:37 AM, Scott Ferguson wrote: > >> >> On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: >> >> > Howdy, >> > >> > Please refer to: >> > >> > http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) >> > http://bugs.caucho.com/view.php?id=2360 >> >> I've added this information as a note to 3431. Now that we've >> released 4.0.0, we can start clearing out the old, stalled bug reports. >> >> -- Scott >> > > > Are there any plans to address this in 3.1.x ? > > Thanks, > > Dan > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest > > ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] CipherSuites for Jsse in resin 3.1.6
On Wed, May 6, 2009 at 9:37 AM, Scott Ferguson wrote: > > On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: > > > Howdy, > > > > Please refer to: > > > > http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) > > http://bugs.caucho.com/view.php?id=2360 > > I've added this information as a note to 3431. Now that we've > released 4.0.0, we can start clearing out the old, stalled bug reports. > > -- Scott > Are there any plans to address this in 3.1.x ? Thanks, Dan ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] CipherSuites for Jsse in resin 3.1.6
Thanks for adding the notes to issue 3431. I was hoping that Scott and Emil could chime in where I think the changes need to happen. We're wanting to implement 3.1.6 (up to 3.1.9) in our production environments, and this change is key to that development. If this is a logical place to start, we may implement 3.1.6x until 3.1.10 is available. ;) Have you guys had a chance to take a quick look, yet? + jay Scott Ferguson wrote: > On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: > >> Howdy, >> >> Please refer to: >> >> http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) >> http://bugs.caucho.com/view.php?id=2360 > > I've added this information as a note to 3431. Now that we've > released 4.0.0, we can start clearing out the old, stalled bug reports. > > -- Scott > >> >> >> We're using Resin Pro 3.1.6 and trying to limit the cipher suites for >> JSSE. I couldn't find the documentation, but through trial and error >> was >> able to discover that http stanza allows this syntax for setting >> ciphers... >> >> >> >> SSL_RSA_WITH_RC4_128_MD5,[more] >> ... >> ... >> ... >> >> >> >> But running THCSSLCheck didn't show any change to the ciphers. >> >> I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the >> following changes... >> >> 1) in the public QServerSocket create(InetAddress host, int port) >> method, there is a check for _cipherSuites != null. That if stmt >> includes the following line: >> sslContext.createSSLEngine().setEnabledCipherSuites(_cipherSuites); >> While this appears to do what I need, it doesn't appear to really >> affect >> anything. I'm not sure where the new SSLEngine is used. The >> SSLServerSocketFactory is established in the same if block, but >> nothing >> new is set there. >> >> 2) there is some commented code below that method that looks like it >> was >> setting protocols - pretty close to ciphers. I added the following >> just >> before the return stmt: >> sslServerSocket.setEnabledCipherSuites( _cipherSuites ); >> And now I see a difference with THCSSLCheck. >> >> Scott, I haven't looked any further than JsseSSLFactory and Port, so I >> don't know if this was supposed to be handled somewhere else. And I'm >> not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I >> think we're in the minority running JSSE, but it works well enough >> for us. >> >> We upgraded to 3.1.6 because this was reported as fixed on this >> version, >> but obviously this isn't. Maybe there might be confusion with the >> https.cipherSuites system property/java-args usage versus the socket >> cipher suites - which would be my bad for not asking for the right >> thing. If I understand the https.cipherSuites properly (now), that is >> when you run as a client versus the server. To set server ciphers you >> need to interact with the API directly - like the >> SSLServerSocketFactory >> does. >> >> This may be why 3431 was opened. >> >> Is this a reasonable fix if we were to run 3.1.6mine? Has this been >> fixed in newer revisions? Are there others running JSSE with an >> interest >> in limiting the cipher suites and possibly the protocols? >> >> + jay >> >> >> >> ___ >> resin-interest mailing list >> resin-interest@caucho.com >> http://maillist.caucho.com/mailman/listinfo/resin-interest > > > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] CipherSuites for Jsse in resin 3.1.6
On May 1, 2009, at 4:33 PM, Jay Ballinger wrote: > Howdy, > > Please refer to: > > http://bugs.caucho.com/view.php?id=3431 (which is a reopen of) > http://bugs.caucho.com/view.php?id=2360 I've added this information as a note to 3431. Now that we've released 4.0.0, we can start clearing out the old, stalled bug reports. -- Scott > > > > We're using Resin Pro 3.1.6 and trying to limit the cipher suites for > JSSE. I couldn't find the documentation, but through trial and error > was > able to discover that http stanza allows this syntax for setting > ciphers... > > > > SSL_RSA_WITH_RC4_128_MD5,[more] > ... > ... > ... > > > > But running THCSSLCheck didn't show any change to the ciphers. > > I dove down in to com.caucho.vfs.JsseSSLFactory and had to make the > following changes... > > 1) in the public QServerSocket create(InetAddress host, int port) > method, there is a check for _cipherSuites != null. That if stmt > includes the following line: > sslContext.createSSLEngine().setEnabledCipherSuites(_cipherSuites); > While this appears to do what I need, it doesn't appear to really > affect > anything. I'm not sure where the new SSLEngine is used. The > SSLServerSocketFactory is established in the same if block, but > nothing > new is set there. > > 2) there is some commented code below that method that looks like it > was > setting protocols - pretty close to ciphers. I added the following > just > before the return stmt: > sslServerSocket.setEnabledCipherSuites( _cipherSuites ); > And now I see a difference with THCSSLCheck. > > Scott, I haven't looked any further than JsseSSLFactory and Port, so I > don't know if this was supposed to be handled somewhere else. And I'm > not sure if this is still an issue with 3.1.9, or the 3.2/4 code. I > think we're in the minority running JSSE, but it works well enough > for us. > > We upgraded to 3.1.6 because this was reported as fixed on this > version, > but obviously this isn't. Maybe there might be confusion with the > https.cipherSuites system property/java-args usage versus the socket > cipher suites - which would be my bad for not asking for the right > thing. If I understand the https.cipherSuites properly (now), that is > when you run as a client versus the server. To set server ciphers you > need to interact with the API directly - like the > SSLServerSocketFactory > does. > > This may be why 3431 was opened. > > Is this a reasonable fix if we were to run 3.1.6mine? Has this been > fixed in newer revisions? Are there others running JSSE with an > interest > in limiting the cipher suites and possibly the protocols? > > + jay > > > > ___ > resin-interest mailing list > resin-interest@caucho.com > http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest