qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-7056) [Java Broker/Client] Allow overriding of TLS cipher suites preferences
Date Fri, 12 Feb 2016 18:28:18 GMT

    [ https://issues.apache.org/jira/browse/QPID-7056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145009#comment-15145009
] 

ASF subversion and git services commented on QPID-7056:
-------------------------------------------------------

Commit 1730088 from orudyy@apache.org in branch 'java/trunk'
[ https://svn.apache.org/r1730088 ]

QPID-7056: [Java Broker, Java Client] Improve TLS handling

* Respect order of TLS cipher suites
* remove enabled/disabled cipherSuites/protocol context variables in favour of white/black
list
* Support RegEx in TLS protocol/cipherSuite white/black lists
* unify the creation of SSLContext and try several protocols by default.

> [Java Broker/Client] Allow overriding of TLS cipher suites preferences
> ----------------------------------------------------------------------
>
>                 Key: QPID-7056
>                 URL: https://issues.apache.org/jira/browse/QPID-7056
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Java Broker, Java Client
>            Reporter: Alex Rudyy
>         Attachments: 0001-QPID-7056-Java-Broker-Java-Client-Improve-TLS-handli.patch,
0001-QPID-7056-Java-Broker-Java-Client-Improve-TLS-handli.patch, order-cipher-suites.diff
>
>
> During TLS handshaking, the client requests to negotiate a cipher suite from a list of
cryptographic options that it supports, starting with its first preference. Then, the server
selects a single cipher suite from the list of cipher suites requested by the client. Normally,
the selection honors the client's preference. 
> Both Qpid Broker and Client need to be able influence the order of cipher suites to negotiate.
At the moment, the order of  cipher suites is defined in JDK implementations. For example,
in Oracle 1.8 JDK  GCM cipher suites (for example, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
etc) are faster then TLS_ECDHE_RSA_WITH_AES_255_CBC_SHA384 but  cipher suite TLS_ECDHE_RSA_WITH_AES_255_CBC_SHA384
is selected during negotiation of TLS. Both broker and client should be able to override the
order of cipher suites.  Thus, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 should be considered
before TLS_ECDHE_RSA_WITH_AES_255_CBC_SHA384.
> Additionally, Broker should be able to select cipher suites based on its own preference
rather than the client's preference in order to mitigate the risks of using weak cipher suites.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message