Re: Query on cipher setting on thrift sockets TSSLSocketFactory

Sat, 18 Mar 2023 07:41:56 -0700 

Hi,
aside from the fact that 0.14.0 is not really a recent release, you should be generally fine. 


Nevertheless, since Thrift supports something around 20+ target 
languages and dialects, could you also indicate what programming 
language we are talking about? From what you wrote my guess would be C++ 
... libraries and languages are not necessarily on the exact same level 
across languages, especially regarding such details, you know.


Have fun,

JensG



Am 17.03.2023 um 15:49 schrieb Hari venkata ramana:

Hi

We are running a thrift server TThreadPoolServer and we have a problem when
we set the strong ciphers to TSSLSocketFactory.

When we set the following to TSSLSocketFactory::ciphers(string ciphers)

ciphers =
kEECDH:kEDH:kRSA:!kPSK:!aPSK:!aDSS:!aNULL:!NULL:!SEED:!3DES:!MD5:!RC4:!CAMELLIA:!SSLv3

we could see that openssl clients always uses one of following ciphers to
negotiate with the server:

AES128-SHA256 AES128-GCM-SHA256 AES256-SHA256

When we set the following:

cipher = ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384

and use openssl client, the handshake fails with alert and reason 40

We understand that choice of selection of cipher by the server depends on
the key exchange algorithm defined in the SSL certificates installed on the
server. Our server has certificates using RSA and so we expect that in the
second case above the server should finish the handshake with cipher
ECDHE-RSA-AES256-SHA384. However we dont see this is happening.

Questions:

1.     We are using thrift 0.14.0...Any known limitation with this version
of thrift?

2.     Does thrift support Diffie Hellman ciphers for TLS?

3.     How do we debug more on why the handshake is failing?



Any pointers here would be helpful.

Note: This may not be the same, but seems related to  Does Thrift support
Diffie Hellman ciphers for TLS?
<https://stackoverflow.com/questions/48915842/does-thrift-support-diffie-hellman-ciphers-for-tls>

We want to set strong ciphers like ECDHE-RSA-AES256-SHA384 to the SSL
interface on server and have the openssl clients connect with that cipher
and a successful handshake with our server.

Thanks
Hari























					Reply via email to