Hey there,
another Matt here =D.
Although changing some policy might do the trick, the issue lies way
deeper: At those lines where the SSLContext is created and initialized
only standard values are used. As far as I dug through the source there
is no config yet to tell the init method wich protocols and cipher
suites to use. This can't be configured by cli options, as the crypto
stuff doesn't check for these. The two ways I see:
- hardcode the protocols and ciphersuites into the lines where TLS is
switched in
- add some lines to use the config
Against above mentioned - it seems there's some possible config for the
<tls> block in
/server/protocols/protocols-library/src/main/java/org/apache/james/protocols/lib/netty/AbstractConfigurableAsyncServer.java
line 245: tls.supportedCipherSuites.cipherSuite
So I guess this would look some like this:
<tls ...>
all the other stuff
<supportedCipherSuites>
<cipherSuite>TLS-cipher-suite-codename</cipherSuite>
</supportedCipherSuites>
</tls>
But this only allows for set the ciphersuits - not the
TLS-protocol-version - I guess this could also be added.
Hope this helps,
Matt from Germany
Am 12.03.2019 um 12:18 schrieb Matt Pryor:
Hi Benoit,
Of course, I will do that today.
My next challenge is to find out how to enable OCSP stapling... something
I'd never heard of until 25 minutes ago... I will post if I find a solution.
Matt
On Tue, 12 Mar 2019 at 10:48, Benoit Tellier <btell...@linagora.com> wrote:
That looks VERY interesting and not documented.
I believe that your valuable experience deserve to be recorded on our
documentation website.
Do you think you can find the time to edit
https://github.com/apache/james-project/blob/master/src/site/xdoc/server/config-ssl-tls.xml
?
The corresponding website page is
https://james.apache.org/server/config-ssl-tls.html
That would be lovely
Best regards,
Benoit Tellier
On 12/03/2019 17:42, Matt Pryor wrote:
Please disregard this question, after some more digging I found out it
was
the /jre/lib/security/java.security file that I needed to edit:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, *DH keySize <
2048*,
\
EC keySize < 224, 3DES_EDE_CBC, anon, NULL,* SSLv2Hello, SSLv3,
TLSv1,
TLSv1.1*
Thanks
Matt
On Tue, 12 Mar 2019 at 10:15, Matt Pryor <
pr...@international-presence.com>
wrote:
Hi there
I was wondering if anyone can point me in the right direction in order
to
disable TLS1.0 for STARTTLS?
I tried adding the following line to the wrapper.conf but it doesn't
seem
to make any difference:
wrapper.java.additional.15=-Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1.3
Also, when running the diagnostic tool at https://www.htbridge.com/ssl/
it complained that the diffie-hellman parameter is too weak (only 1024
bytes). Does anyone know how to change this?
Thanks for any tips.
Matt
--
Matt Pryor
Software Developer
The International Presence Group of Companies
EMAIL: pr...@presencebpm.com
URL: www.International-presence.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
