You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jason Pell <ja...@pellcorp.com> on 2013/10/10 01:27:14 UTC
set of SSL ciphers that are 128+ and non cbc encryption
Hi,
Is there such a list in the docs for cxf somewhere?
Re: set of SSL ciphers that are 128+ and non cbc encryption
Posted by Jason Pell <ja...@pellcorp.com>.
Seems in Java 7 the ciphers for 128+ are the default. In Java 6 when no
cipher suite filter I see a few < 128bit but with java 7 those ones
disappeared.
Sent from my Android phone
On 10/10/2013 12:57 PM, "Jason Pell" <ja...@pellcorp.com> wrote:
> Agree 100% not a cxf issue thought we might have a recommended set for max
> security. We had some pen testing highlight some weak ciphers and I wanted
> to see if the task of removing weak ciphers had already been done :-)
>
> Lazy I know but figured it did not hurt to ask.
>
> SSL beast vulnerability to CBC was reason I asked also
>
> Thanks heaps for your replies
>
> Sent from my Android phone
> On 10/10/2013 10:49 AM, "Dennis Sosnoski" <dm...@sosnoski.com> wrote:
>
>> Oh, but if you want to switch to the IBM JVM it looks like they've
>> supported GCM since Java 6, in the default disabled list of suites:
>> http://publib.boulder.ibm.com/**infocenter/javasdk/v6r0/index.**
>> jsp?topic=%2Fcom.ibm.java.**security.component.doc%**
>> 2Fsecurity-component%**2Fjsse2Docs%2Fciphersuites.**html<http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2Fjsse2Docs%2Fciphersuites.html>
>>
>> - Dennis
>>
>> On 10/10/2013 12:43 PM, Dennis Sosnoski wrote:
>>
>>> This is not really a CXF issue, Jason - it's determined by the JSSE
>>> (Java Secure Sockets Extension), and AFAIK we're stuck with only CBC for
>>> AES encryption. You can see the list of JSSE cipher suites here:
>>> http://docs.oracle.com/javase/**7/docs/technotes/guides/**
>>> security/SunProviders.html#**SunJSSEProvider<http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider>
>>>
>>> Incidentally, I just published an article on InfoQ that discusses some
>>> of the issues around keeping your data communications secure with some
>>> discussion of TLS/SSL: http://www.infoq.com/articles/**
>>> keeping-your-secrets<http://www.infoq.com/articles/keeping-your-secrets>
>>>
>>> - Dennis
>>>
>>> On 10/10/2013 12:27 PM, Jason Pell wrote:
>>>
>>>> Hi,
>>>>
>>>> Is there such a list in the docs for cxf somewhere?
>>>>
>>>>
>>>
>>>
>>
Re: set of SSL ciphers that are 128+ and non cbc encryption
Posted by Jason Pell <ja...@pellcorp.com>.
Agree 100% not a cxf issue thought we might have a recommended set for max
security. We had some pen testing highlight some weak ciphers and I wanted
to see if the task of removing weak ciphers had already been done :-)
Lazy I know but figured it did not hurt to ask.
SSL beast vulnerability to CBC was reason I asked also
Thanks heaps for your replies
Sent from my Android phone
On 10/10/2013 10:49 AM, "Dennis Sosnoski" <dm...@sosnoski.com> wrote:
> Oh, but if you want to switch to the IBM JVM it looks like they've
> supported GCM since Java 6, in the default disabled list of suites:
> http://publib.boulder.ibm.com/**infocenter/javasdk/v6r0/index.**
> jsp?topic=%2Fcom.ibm.java.**security.component.doc%**2Fsecurity-component%
> **2Fjsse2Docs%2Fciphersuites.**html<http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2Fjsse2Docs%2Fciphersuites.html>
>
> - Dennis
>
> On 10/10/2013 12:43 PM, Dennis Sosnoski wrote:
>
>> This is not really a CXF issue, Jason - it's determined by the JSSE (Java
>> Secure Sockets Extension), and AFAIK we're stuck with only CBC for AES
>> encryption. You can see the list of JSSE cipher suites here:
>> http://docs.oracle.com/javase/**7/docs/technotes/guides/**
>> security/SunProviders.html#**SunJSSEProvider<http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider>
>>
>> Incidentally, I just published an article on InfoQ that discusses some of
>> the issues around keeping your data communications secure with some
>> discussion of TLS/SSL: http://www.infoq.com/articles/**
>> keeping-your-secrets <http://www.infoq.com/articles/keeping-your-secrets>
>>
>> - Dennis
>>
>> On 10/10/2013 12:27 PM, Jason Pell wrote:
>>
>>> Hi,
>>>
>>> Is there such a list in the docs for cxf somewhere?
>>>
>>>
>>
>>
>
Re: set of SSL ciphers that are 128+ and non cbc encryption
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
Oh, but if you want to switch to the IBM JVM it looks like they've
supported GCM since Java 6, in the default disabled list of suites:
http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2Fjsse2Docs%2Fciphersuites.html
- Dennis
On 10/10/2013 12:43 PM, Dennis Sosnoski wrote:
> This is not really a CXF issue, Jason - it's determined by the JSSE
> (Java Secure Sockets Extension), and AFAIK we're stuck with only CBC
> for AES encryption. You can see the list of JSSE cipher suites here:
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
>
> Incidentally, I just published an article on InfoQ that discusses some
> of the issues around keeping your data communications secure with some
> discussion of TLS/SSL: http://www.infoq.com/articles/keeping-your-secrets
>
> - Dennis
>
> On 10/10/2013 12:27 PM, Jason Pell wrote:
>> Hi,
>>
>> Is there such a list in the docs for cxf somewhere?
>>
>
>
Re: set of SSL ciphers that are 128+ and non cbc encryption
Posted by Dennis Sosnoski <dm...@sosnoski.com>.
This is not really a CXF issue, Jason - it's determined by the JSSE
(Java Secure Sockets Extension), and AFAIK we're stuck with only CBC for
AES encryption. You can see the list of JSSE cipher suites here:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
Incidentally, I just published an article on InfoQ that discusses some
of the issues around keeping your data communications secure with some
discussion of TLS/SSL: http://www.infoq.com/articles/keeping-your-secrets
- Dennis
On 10/10/2013 12:27 PM, Jason Pell wrote:
> Hi,
>
> Is there such a list in the docs for cxf somewhere?
>