-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 9/19/16 4:32 PM, Mark Thomas wrote: > On 19/09/2016 21:20, Christopher Schultz wrote: >> All, >> >> On 8/31/16 12:45 PM, Christopher Schultz wrote: >>> All, >> >>> This isn't Tomcat-related, but many folks on this list have >>> this kind of experience, so I'm asking in case anyone knows. >> >>> I'd like to make an HTTPS connection to a server and, if I'm >>> using non-ephemeral DH key exchange, I'd like to know what the >>> parameters are for that connection. Actually, I don't really >>> care if it's ephemeral or not. >> >>> What I'm looking for is the ability to make a connection and >>> then warn if the connection is using "weak" DH parameters. Is >>> that something I can check at connection-time? Or is the set of >>> DH parameters (or, more specifically, the *length* of those >>> parameters, in bits) defined by the cipher suite itself? >> >>> For example, the Qualys community thread has an illustration >>> of the cipher suites that SSLLabs considers "weak" (well, >>> everyone considers them weak... they just have a public tool >>> which complains about them): >>> https://community.qualys.com/thread/14821 >> >>> They specifically mention e.g. >>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 which is cipher suite 0x9f >>> and mention the DH parameters. Are those parameters' parameters >>> baked-into the cipher suite (meaning they are *always* >>> 1024-bit) or is this a configuration of the server that makes >>> those cipher suites weak due to the specific DH parameter >>> choice? >> >>> In either case, I'd like to be able to sniff that information >>> from the connection if at all possible. Does anyone know if >>> this can be done, and how? >> >>> Thanks, -chris >> >> It seems that this isn't possible. >> >> Does anyone on the list have the karma required to file an >> enhancement request for the Java API? Or does everything need to >> be a darned JSR? > > I recommend starting with the security-...@openjdk.java.net mailing > list. > > As far as I know, the process is to raise a bug/enhancement > request against Java. From my own experience with the memory leak > bugs, it helps a lot if an OpenJDK committer has already agreed to > try and do something about it. So... crickets so far. Any suggestions? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX7DLSAAoJEBzwKT+lPKRY/bUQAMFXZp7Ci0u7SEwTsw5dCro5 qs7ejnvJJY5FzRNt4vdBDmrWF1BQUcUnF+bI47+YSyv4KAwvwvBfVrYbd1E+103y RgFum3RTNYPyicO8D1C/4u0M5GtmEp3Umrf+EW5JPyYzbiE7PP4mMzfmjuw2zL+S Rnt426FCurTjdsLJR+bcSYbWEpIm2qkmVEVRvExBG9Vx9e8jYBy+nr7zRh/tEnWb NnENErIpyls359X5vsyLbM4CvZI3gOkflKdWf17j0P8iAWUm0LGmsRV5Gcn+KDIj ZLsld8Vk825eBFVskdEFAO7GXdoBw+ZVTFCIXbI5Cwh4qArNMHRix9FUCTj9pNFH T0Vqqv35Xo3YqzCocozYaqQWV1KpPj8j01SLcHibTDbeyvMWvwsJRqyRG94a0y+x ftWVNf2LJhd0vr6p6i61Xa3MN8cxD0vlFbUB2ec5DJ0tJ7QFiqF0pMvRXZpzXEf1 zOH6F3UAlx5S/3TPYlWpO/aAJeMQBUh/c8f3wgvj50nn0C/5U00b/clF0+5j6/SY fpvxjX4qxFjRBK3BomO+Oplgt/ORdrb5HiwNwYcLcgjLs5Cw/fhFjINzm6ZBPNSr xmuAPOoWuIFFaLQ8iWbkiV3rv3slmXTu/uvDz2etTmK1qzB/4ccHOGAsXGyniC9D amdC4VCgfIZVYJyurBqb =jpPl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
