its a simple question what does ciphers parameter in Connector have anything to
do with the supported ciphers from the key itself the 2 are disconnected
please dont waste my time and anyone elses with insults when you are unable to
answer this simple question
Martin Gainty
___________________________________________ When Free Speech and Discovery are
replaced by Confusion and Obfuscation its time to move > Date: Thu, 10 Jan 2013
18:25:02 -0500
> From: ch...@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: Restricting ciphers
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Martin,
>
> Honestly, I'm not sure why I'm feeding the troll at this point. Maybe
> I'm trying to atone for some horrible crime I can't remember.
>
> On 1/10/13 10:05 AM, Martin Gainty wrote:
> > terminology :
>
> Nobody was arguing about terminology. Next time, just refer to
> Wikipedia like everyone else.
>
> > All you don't know is whether those certificate & private key are
> > RSA or DSA algorithms
>
> It doesn't matter: you can use RSA (like everyone does) or DSA and
> that will only determine the type of key you have. The cipher can (and
> will, since SSL/TLS encryption is symmetric and not PK) use a
> different algorithm for encryption.
>
> > you see if it's an RSA or DSA key (along with the key size).
>
> Again, key size is only relevant for people who think that bigger is
> better. You can create a 16k key and it won't be much more secure than
> an 8k key. Stronger crypto, yes, but nobody tries to guess SSL keys:
> they use compression (e.g. CRIME) and other nasty tricks so they don't
> have to do the hard work of key-cracking.
>
> > cipherGroup is categorised by keysize within cipher-groups (usually
> > a 4digit number which is a power of 2 e.g. 1024 and 2048)
>
> Sorry, ciphers and keys are not interchangeable: keys usually have 1k,
> 2k, 4k, etc. bits in them while symmetric ciphers usually max out at
> 256-bit key sizes. Try running some of the commands you are grabbing
> off the web to see what I'm talking about.
>
> I've never heard the term "cipherGroup".
>
> > ECB, CBC and PCBC are the usual choices for the optional
> > ModeOfOperation parameter Determining the ALGO-CIPHER supported by
> > your key so we can see that public keys contain a algorithm-cipher
> > combination but how to determine the algo-cipher supported by your
> > key:
>
> Sorry, your key can support (essentially) arbitrary ciphers. Your key
> type has no bearing on whether or not ECB, CBC, etc. can be used.
>
> > keytool -list -v -keystore fubar.pfx -storetype PKCS12 Here is
> > output: Certificate fingerprints: MD5: SHA1:
> > Signature algorithm name: SHA1withRSA Providers (SUN, SunJCE,
> > SunJSSE,SunRsaSign, IBMJSSE, bcprov-jdkNN-MMM) Lets stick with
> > SunJSSE as our provider supported ciphers will be those ciphers
> > which match SHA1 with RSA from this list:
>
> Wrong again: the signature algorithm used to fingerprint your own key
> has no bearing on the message digests usable for your ciphers.
>
> > so what you are asking Tomcat Connector to do is
> >
> > 1)export contents of supplied keystoreFile key of keystoreType
> > PKCS12
> >
> > 2)determine Signature algorithm name
> >
> > 3)aggregate cipherSuite by determining Signature specific
> > supported ciphers from Signature algorithm name from
> > http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html
> >
> >
> >
> 4)reference ciphers attribute from Tomcat <Connector
> >
> > 5)determine SignatureSpecificSupportedCiphers from 3) and
> > implement ONLY those ciphers which match exactly to the ciphers
> > listed in Tomcat Connector 5)
>
> None of the previous 5 items is accurate.
>
> > (i have not seen this currently implemented)
>
> That's because Tomcat does something else. Actually, JSSE does all the
> heavy-lifting: Tomcat just configures the TrustStore and a few other
> things and then lets JSSE take over. Or OpenSSL if you're using
> APR/native.
>
> Now, if you've had enough, kindly stop confusing people.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEAREIAAYFAlDvTc4ACgkQ9CaO5/Lv0PC70gCgqL83yS3LxAqhS+eAFi1StwPU
> J5kAoMPWqUx/qnoB8gBla4gkRSWbpswO
> =W6U2
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
