james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Charles <e...@apache.org>
Subject Re: supportedCipherSuites not working for startTLS
Date Wed, 12 Dec 2012 12:04:49 GMT
Great.

The procedure to sumit a code change is to open a JIRA (in your case on 
https://issues.apache.org/jira/browse/PROTOCOLS) and upload the patch 
granting Apache for the license.

I know this is a tiny change, but it allows to track down the history...

Would you mind opening that JIRA?

Thx, Eric

On 11/12/2012 17:24, Phillip Odam wrote:
> Setting the supported cipher suites when startTLS is enabled is not
> limiting the available ciphers since the instantiation of the Encryption
> object always sets the member enabledCipherSuites to null.
>
>
> Demonstrate issue:
>
> Add the following to the tls tag in conf/smtpserver.conf
>
> <supportedCipherSuites>
>    <cipherSuite>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</cipherSuite>
> </supportedCipherSuites>
>
> With the change active, attempting to connect to the server with the
> following command will succeed (with a weaker cipher)
>
> openssl s_client -connect mail.server.tld:25 -crlf -starttls smtp
> -cipher LOW
>
>
> Patch:
>
> ---
> current/protocols/api/src/main/java/org/apache/james/protocols/api/Encryption.java
> (revision 1420267)
> +++
> current/protocols/api/src/main/java/org/apache/james/protocols/api/Encryption.java
> 2012-12-11 11:41:45.000000000 -0500
> @@ -73,7 +73,7 @@
>        * @return enc
>        */
>       public static Encryption createStartTls(SSLContext context,
> String[] enabledCipherSuites) {
> -        return new Encryption(context, true, null);
> +        return new Encryption(context, true, enabledCipherSuites);
>       }
>
>       /**
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message