You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2015/06/23 13:31:40 UTC
[Bug 58072] New: ECDH curve selection
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
Bug ID: 58072
Summary: ECDH curve selection
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: msta@cinkciarz.pl
It should be possible to pick ECDH curve for EC-based cipher suites, in the
same way it's possible in let's say nginx:
ssl_ecdh_curve secp521r1;
Curve names could be used as defined in RFC 4492, section 5.1.1:
https://tools.ietf.org/html/rfc4492#section-5.1.1
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|major |enhancement
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This should be doable for OpenSSL based connections. For JSSE based connections
this is going to have to wait for the JRE to provide the necessary hooks.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
Michał Staruch <Mi...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|----- |----
Product|Tomcat 9 |Tomcat 8
Version|unspecified |trunk
Component|Connectors |Connectors
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
If JSSE ever adds support for configuring this per SSLContext, feel free to
re-open this issue and we can add the necessary configuration.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
Michał Staruch <ms...@cinkciarz.pl> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |msta@cinkciarz.pl
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
--- Comment #4 from Remy Maucherat <re...@apache.org> ---
The newly added OpenSSLConfCmd feature has something for this. I think this
should be considered "done" as JSSE isn't going to get done.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
(In reply to Michał Staruch from comment #2)
And which API should Tomcat use to specify the curve to use (in the cases where
the server has a choice)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 58072] ECDH curve selection
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58072
--- Comment #2 from Michał Staruch <Mi...@gmail.com> ---
Mark: providers available in Java 8 that enable EC cipher suites have to
support all the named curves listed in RFC 4492 5.1.1:
"The provider must support all the SECG curves referenced in RFC 4492
specification, section 5.1.1 (see also appendix A). In certificates, points
should be encoded using the uncompressed form and curves should be encoded
using the namedCurve choice, that is, using an object identifier."
See the "Java Cryptography Architecture Oracle Providers Documentation for JDK
8" document, available here:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org