You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Emmanuel Lécharny <el...@gmail.com> on 2015/01/20 18:54:54 UTC
[Studio] apacheDS 2.0 config plugin
Hi guys,
I think the plugin should be back on track.
I have fixed the NPE we giot while trying to open it. Please feel free
to test that.
Otherwise, I have added a few things in the LDAP/LDAPS configuration
page, like the SASL realms (which was missing).
The enabled protocols and enabled ciphers aren't functional yet. They
need some love. At this point, having a list is simply not going to fly,
it's way to complex. We can't add the users to add ciphers by typing
things like : |TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384...
So I'm going to open one modal popup with the list of supported ciphers,
depending on the Java version the server will run on.
For enabled protocols, I will add as many checkboxes as we have
protocols to support : SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. Thats should
be enough. Im not even sure we will support SSL v3 at all.
comments welcome !
|
Re: [Studio] apacheDS 2.0 config plugin
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Jan 22, 2015 at 6:57 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Le 22/01/15 11:08, Emmanuel Lécharny a écrit :
> > Le 22/01/15 00:07, Kiran Ayyagari a écrit :
> >> On Thu, Jan 22, 2015 at 6:45 AM, Emmanuel Lécharny <elecharny@gmail.com
> >
> >> wrote:
> >>
> >>> Some update :
> >>>
> >>> I have now set a list of existing and supported Cipher for the user to
> >>> select. It looks like this :
> >>>
> >>> .--------------------------------.
> >>> |V SSL Advanced Settings |
> >>> +--------------------------------+
> >>> | [X] Require Client Auth |
> >>> | [X] Request Client Auth |
> >>> | Ciphers suite : |
> >>> | +--------------------------+ |
> >>> | |[X] xyz | |
> >>> | |[X] abc | |
> >>> | |[X] def | |
> >>> | +--------------------------+ |
> >>> | Enabled protocols : |
> >>> | [X] SSLv3 [X] TLSv1 |
> >>> | [X] TLSv1.1 [X] TLSv1.2 |
> >>> +--------------------------------+
> >>>
> >>> You can select one or more ciphers, all of them are selected by
> default.
> >>> The selection is done based on the underlying JAVA version used on the
> >>> server, so I have to add a checkbox to select either Java 7 or Java 8.
> >>>
> >>> this setting can quickly become stale, especially at the pace java
> >> versions are EOLed
> >>
> >> Instead I suggest we provide a textbox (in the advance options) to let
> the
> >> user key in
> >> the desired cipher if none is needed beside the default ciphers.
> > Ok, let's face reality here :
> >
> > do you really want users to type things like
> > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ?
>
definitely not typing but paste for sure, this is strictly under
the assumption that the user is aware of what he is doing
> >
> > When using SSL, the security provider to use is JSSE, which comes with a
> > list of supported ciphers, which are either enabled or disabled. This is
> > quite a long list, and there is no mean to add some cipher from this
> > list, because they won't be supported anyway.
> >
> > The issue is what list of ciphers will Java 9 support ? We don't know
> > yet. But adding a support for those ciphers is just a matter of adding
> > them to the SupportedCipher enum, and add a new JavaVersion in the combo
> > I'm currently adding in this tab.
>
> A real problem here is that the list of ciphers supported in Java 7 is
> smaller than the list supported in Java 8. We don't keep a track of the
> Java version used on the server in the config, so we have to be quite
> careful in the way we propose a list that will be stored in teh config.
> Typically, if we set the list of supported ciphers to be the one that
> Java 8 supports, but run the server on Java 7, there will be some
> problem. It's not necessarily the right option to let the user select
> the Java version the server will run of from Studio, it's likely to be
> changed without notice.
>
> I have no clear solution for that, except that every cipher supported by
> Java 7 are also supported by Java 8. At this point, I may simply use the
> Java 8 ciphers, and up to the server to remove the ones that aren't
> supported...
>
> All in all, I'm not anymore keen on proposing a Java version to use...
>
yeah, this becomes an unnecessary maintenance work
--
Kiran Ayyagari
http://keydap.com
Re: [Studio] apacheDS 2.0 config plugin
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 22/01/15 11:08, Emmanuel Lécharny a écrit :
> Le 22/01/15 00:07, Kiran Ayyagari a écrit :
>> On Thu, Jan 22, 2015 at 6:45 AM, Emmanuel Lécharny <el...@gmail.com>
>> wrote:
>>
>>> Some update :
>>>
>>> I have now set a list of existing and supported Cipher for the user to
>>> select. It looks like this :
>>>
>>> .--------------------------------.
>>> |V SSL Advanced Settings |
>>> +--------------------------------+
>>> | [X] Require Client Auth |
>>> | [X] Request Client Auth |
>>> | Ciphers suite : |
>>> | +--------------------------+ |
>>> | |[X] xyz | |
>>> | |[X] abc | |
>>> | |[X] def | |
>>> | +--------------------------+ |
>>> | Enabled protocols : |
>>> | [X] SSLv3 [X] TLSv1 |
>>> | [X] TLSv1.1 [X] TLSv1.2 |
>>> +--------------------------------+
>>>
>>> You can select one or more ciphers, all of them are selected by default.
>>> The selection is done based on the underlying JAVA version used on the
>>> server, so I have to add a checkbox to select either Java 7 or Java 8.
>>>
>>> this setting can quickly become stale, especially at the pace java
>> versions are EOLed
>>
>> Instead I suggest we provide a textbox (in the advance options) to let the
>> user key in
>> the desired cipher if none is needed beside the default ciphers.
> Ok, let's face reality here :
>
> do you really want users to type things like
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ?
>
> When using SSL, the security provider to use is JSSE, which comes with a
> list of supported ciphers, which are either enabled or disabled. This is
> quite a long list, and there is no mean to add some cipher from this
> list, because they won't be supported anyway.
>
> The issue is what list of ciphers will Java 9 support ? We don't know
> yet. But adding a support for those ciphers is just a matter of adding
> them to the SupportedCipher enum, and add a new JavaVersion in the combo
> I'm currently adding in this tab.
A real problem here is that the list of ciphers supported in Java 7 is
smaller than the list supported in Java 8. We don't keep a track of the
Java version used on the server in the config, so we have to be quite
careful in the way we propose a list that will be stored in teh config.
Typically, if we set the list of supported ciphers to be the one that
Java 8 supports, but run the server on Java 7, there will be some
problem. It's not necessarily the right option to let the user select
the Java version the server will run of from Studio, it's likely to be
changed without notice.
I have no clear solution for that, except that every cipher supported by
Java 7 are also supported by Java 8. At this point, I may simply use the
Java 8 ciphers, and up to the server to remove the ones that aren't
supported...
All in all, I'm not anymore keen on proposing a Java version to use...
Re: [Studio] apacheDS 2.0 config plugin
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 22/01/15 00:07, Kiran Ayyagari a écrit :
> On Thu, Jan 22, 2015 at 6:45 AM, Emmanuel Lécharny <el...@gmail.com>
> wrote:
>
>> Some update :
>>
>> I have now set a list of existing and supported Cipher for the user to
>> select. It looks like this :
>>
>> .--------------------------------.
>> |V SSL Advanced Settings |
>> +--------------------------------+
>> | [X] Require Client Auth |
>> | [X] Request Client Auth |
>> | Ciphers suite : |
>> | +--------------------------+ |
>> | |[X] xyz | |
>> | |[X] abc | |
>> | |[X] def | |
>> | +--------------------------+ |
>> | Enabled protocols : |
>> | [X] SSLv3 [X] TLSv1 |
>> | [X] TLSv1.1 [X] TLSv1.2 |
>> +--------------------------------+
>>
>> You can select one or more ciphers, all of them are selected by default.
>> The selection is done based on the underlying JAVA version used on the
>> server, so I have to add a checkbox to select either Java 7 or Java 8.
>>
>> this setting can quickly become stale, especially at the pace java
> versions are EOLed
>
> Instead I suggest we provide a textbox (in the advance options) to let the
> user key in
> the desired cipher if none is needed beside the default ciphers.
Ok, let's face reality here :
do you really want users to type things like
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ?
When using SSL, the security provider to use is JSSE, which comes with a
list of supported ciphers, which are either enabled or disabled. This is
quite a long list, and there is no mean to add some cipher from this
list, because they won't be supported anyway.
The issue is what list of ciphers will Java 9 support ? We don't know
yet. But adding a support for those ciphers is just a matter of adding
them to the SupportedCipher enum, and add a new JavaVersion in the combo
I'm currently adding in this tab.
Re: [Studio] apacheDS 2.0 config plugin
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Jan 22, 2015 at 6:45 AM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Some update :
>
> I have now set a list of existing and supported Cipher for the user to
> select. It looks like this :
>
> .--------------------------------.
> |V SSL Advanced Settings |
> +--------------------------------+
> | [X] Require Client Auth |
> | [X] Request Client Auth |
> | Ciphers suite : |
> | +--------------------------+ |
> | |[X] xyz | |
> | |[X] abc | |
> | |[X] def | |
> | +--------------------------+ |
> | Enabled protocols : |
> | [X] SSLv3 [X] TLSv1 |
> | [X] TLSv1.1 [X] TLSv1.2 |
> +--------------------------------+
>
> You can select one or more ciphers, all of them are selected by default.
> The selection is done based on the underlying JAVA version used on the
> server, so I have to add a checkbox to select either Java 7 or Java 8.
>
> this setting can quickly become stale, especially at the pace java
versions are EOLed
Instead I suggest we provide a textbox (in the advance options) to let the
user key in
the desired cipher if none is needed beside the default ciphers.
This is the last change in the LDAP/LDAPS tab. I have a few more changes
> elswhere, but it will be fast, then we can go for a release at will.
>
> Thanks !
>
>
--
Kiran Ayyagari
http://keydap.com
Re: [Studio] apacheDS 2.0 config plugin
Posted by Emmanuel Lécharny <el...@gmail.com>.
Some update :
I have now set a list of existing and supported Cipher for the user to
select. It looks like this :
.--------------------------------.
|V SSL Advanced Settings |
+--------------------------------+
| [X] Require Client Auth |
| [X] Request Client Auth |
| Ciphers suite : |
| +--------------------------+ |
| |[X] xyz | |
| |[X] abc | |
| |[X] def | |
| +--------------------------+ |
| Enabled protocols : |
| [X] SSLv3 [X] TLSv1 |
| [X] TLSv1.1 [X] TLSv1.2 |
+--------------------------------+
You can select one or more ciphers, all of them are selected by default.
The selection is done based on the underlying JAVA version used on the
server, so I have to add a checkbox to select either Java 7 or Java 8.
This is the last change in the LDAP/LDAPS tab. I have a few more changes
elswhere, but it will be fast, then we can go for a release at will.
Thanks !
Re: [Studio] apacheDS 2.0 config plugin
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 20/01/15 23:45, Kiran Ayyagari a écrit :
> On Wed, Jan 21, 2015 at 1:54 AM, Emmanuel Lécharny <el...@gmail.com>
> wrote:
>
>> Hi guys,
>>
>> I think the plugin should be back on track.
>>
>> I have fixed the NPE we giot while trying to open it. Please feel free
>> to test that.
>>
>> Otherwise, I have added a few things in the LDAP/LDAPS configuration
>> page, like the SASL realms (which was missing).
>>
>> The enabled protocols and enabled ciphers aren't functional yet. They
>> need some love. At this point, having a list is simply not going to fly,
>> it's way to complex. We can't add the users to add ciphers by typing
>> things like : |TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384...
>>
>> So I'm going to open one modal popup with the list of supported ciphers,
>> depending on the Java version the server will run on.
>>
>> For enabled protocols, I will add as many checkboxes as we have
>> protocols to support : SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. Thats should
>> be enough. Im not even sure we will support SSL v3 at all.
>>
> let us keep the option to use SSL as well
Right now, I have transformed the list of enabled protocols to a set of
checkboxes :
...
| Enabled protocols : |
| [X] SSLv3 [X] TLSv1 [X] TLSv1.1 [X] TLSv1.2 |
...
You can select the protocols the server is going to support. This set of
checkboxes will update both the LDAP and LDAPS transports (LDAP support
startTLS, so at some point, we need that for LDAP)
I still have to change the way we handle the cipher suite. It will
probably be done by tonite.
Re: [Studio] apacheDS 2.0 config plugin
Posted by Kiran Ayyagari <ka...@apache.org>.
On Wed, Jan 21, 2015 at 1:54 AM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Hi guys,
>
> I think the plugin should be back on track.
>
> I have fixed the NPE we giot while trying to open it. Please feel free
> to test that.
>
> Otherwise, I have added a few things in the LDAP/LDAPS configuration
> page, like the SASL realms (which was missing).
>
> The enabled protocols and enabled ciphers aren't functional yet. They
> need some love. At this point, having a list is simply not going to fly,
> it's way to complex. We can't add the users to add ciphers by typing
> things like : |TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384...
>
> So I'm going to open one modal popup with the list of supported ciphers,
> depending on the Java version the server will run on.
>
> For enabled protocols, I will add as many checkboxes as we have
> protocols to support : SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. Thats should
> be enough. Im not even sure we will support SSL v3 at all.
>
let us keep the option to use SSL as well
>
> comments welcome !
> |
>
>
--
Kiran Ayyagari
http://keydap.com