Setting cipher suites for ssl sockets

Similar Messages

• How to find what provider is used to for cipher in a SSL socket's handshake

  Hi,
  I have few security providers loaded with Mozilla-JSS provider above the SunJSSE provider.
  SSLContext is provided by SunJSSE. If I get an instance of Cipher seperately, it says it is provided by Mozilla-JSS.
  How do I know what provider is used inside the socket's handshake method to get the cipher in the following code. Will it be SunJSSE or Mozilla-JSS
  SSLContext sc = SSLContext.getInstance("TLSv1");
  sc.init(null, new TrustManager[] { new SSLTrustManager()}, secRand);
  SSLSocketFactory socketFactory = sc.getSocketFactory();     
  javax.net.ssl.SSLSocket socket = (javax.net.ssl.SSLSocket)socketFactory.createSocket();     
  InetSocketAddress address = new InetSocketAddress(ip, port);
  socket.connect(address, 5 * 1000);
  socket.setSoTimeout(30 * 1000);
  socket.setEnabledCipherSuites(SSL_CIPHER_SUITES);
  socket.setEnabledProtocols(new String[] {"TLSv1"});
  javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance("DESede/CBC/NoPadding");
  System.out.println("provider for cipher == " + cipher.getProvider().getName() ); -> Mozilla-JSS
  System.out.println("provider for SSL Context is == " + sc.getProvider().getName()); ---> SunJSSE
  Thanks,
  Sreedhar

  I could not get anything extra from the debug option.
  We have a requirement to use FIPS compliant provider. Mozilla-JSS provider is FIPS compliant and SunJSSE is not.
  SSLContext code is not part of the Mozilla-JSS provider API. So, I wanted to use SunJSSE for SSLContext and I would be fine if I am sure that Cipher used inside the SSLSocket handshake comes from Mozilla-JSS.

• Setting cipher suite name in Httprequest header

  Is it possible to set the cipher suite name in http request header ?

  The cipher suite has nothing to do with HTTP. Ciphersuites are only negotiated by the SSL/TLS peers.

• Default cipher suite used by ASA for SSH?

  By default ASA used which encryption algorithm i.e. cipher suite for SSH?
  Thanxs

  Hi,
  To my knowledge it's 3DES/AES.
  You can verify with 'show version' and 'show ssh session' commands.
  Sent from Cisco Technical Support iPhone App

• Applet(using SSL sockets) application in browser

  hello everyone,
  I am new to this forum, and this is my first forum in this site, please help me,
  My problem is,
  I have done an applet application which uses the SSL sockets, and it is working fine if i use the appletviewer tool, with the arguments of policy and URL, when i run this command "appletviewer -J-Djava.security.policy=mypolicy.policy URL of my html page" in the command mode its working fine.
  I have wrote HTML file for running the applet, and when i used it in the browser i was not able to get output , i was getting the error "NoTrustedCertificates found", i have setted the properties of truststore and password in the program itself like,
  System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home")+"cert");
  System.setProperty("javax.net.ssl.trustStorePassword", "pwd");
  and i also used the policy tool. I have stored my certificate along with the jar file, and i was getting this error
  can anyone please help me, or suggest me the right way to reach my target.
  Thanx in advance

  Hai,
  I have made my client applet running from the remote system, and the client was establishing SSL sockets, and there is a problem in Handshake, NO TRUSTED CERTIFICATE found was the error, and i had loaded the certificates ( one is used for signing the certificate, and the other is used for the SSL sockets authentication ) in my applet client code i have setted the system properties like
  System.setProperty("javax.net.ssl.trustStore", System.getProperty("java.home")+"\\lib\\security\\cert");
  System.setProperty("javax.net.ssl.trustStorePassword", "pwd");
  and this is the certificate which is used for SSL sockets authentication, and i stored the cert in the "jre\lib\security\" directory, and im using the jdk1.4.2_05 version.
  At the client side the error is
  Network Error: sun.security.validator.ValidatorException: No trusted certificate found.
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
  at java.io.OutputStream.write(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Caused by: sun.security.validator.ValidatorException: No trusted certificate found
  at sun.security.validator.SimpleValidator.buildTrustedChain(Unknown Source)
  at sun.security.validator.SimpleValidator.engineValidate(Unknown Source)
  at sun.security.validator.Validator.validate(Unknown Source)
  at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
  at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
  At the server side the error is
  javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source)
  at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source)
  at com.ClientNeg.run(ClientNeg.java:76)
  at java.lang.Thread.run(Unknown Source)
  i was not able to understand what went wrong , so any one please help me in doing my work.
  Thanx
  dwurity

• How to locate and configure SSL cipher suites

  hi all,
  i wanted to knw how Ciphersuites that are used in SSL Connections are picked up by the JVM or whoever is responsible for establishing the connection at lower level. I mean there are methods in SSLSocketFactory, HttpsURLConnection named getEnabledCipherSuites(). I was just wondering where these default cipher suites are picked up. Is there any configuration file or some setting where we can add our own cipher suite to the list?
  Please advice.
  Thanks in advance :)
  Arun

  hi,
  As already we have discussed this, we can set the ciphersuite used in the SSLConnection using SSLSocket.setEnabledCIpherSuite() function only. And getSupportedCipherSuites() function returns the list of cipher suites that are supported by the connection.
  But i want to set ciphersuite in SSLConnection using HttpsURLConnection. Under this class (HttpsURLConnection) there is no such method where u can specify the ciphersuite.
  So i am trying to find out when an SSL connection is setup from where does the JVM loads the cipher suites? I checked the All the basic classes in javax.net.ssl package and all contain the methods as abstract. So if anybody has any idea regarding where these supported cipher suites are located in jdk please let me knw.
  Thanks in advance :)
  Arun

• How to add a Cipher Suite using RSA 1024 algorithm to the 'SSL Cipher Suite Order' GPO

  Following a VA test the Default Domain GPO has been set to enable the SSL Cipher Suite Order.  Following the change Symantec Endpoint Protection Manager doesn't work properly as the the Home, Monitors and Reports pages are blank and an Schannel error is
  logged in the SEPM server's event log.
  I have spoken to Symantec and I have been told that we need to allow the RSA 1024 bit algorithm but they can't tell me which cipher suite this would be.  I have looked in the GPO setting and can't see an RSA 1024 suite but have found some in this article:
  http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
  I want to know how to add an additional cipher suite into the setting safely.  Am I able to just add the suite into the GPO setting (eg TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) or do I need to do anything else beforehand?
  If anyone has any advice regarding this or cipher suite orders and troubleshooting SSL problems it would be much appreciated,
  Thanks
  Chris

  Hi Chris,
  Based on my research, RSA_EXPORT1024_DES_CBC_SHA is a previous cipher suite, which is supported, you can enable it use
  SSL Cipher Suite Order policy setting under Administrative Templates\Network\SSL Configuration Settings.
  More information for you:
  TLS/SSL Cryptographic Enhancements
  http://technet.microsoft.com/en-us/library/cc766285(v=WS.10).aspx
  Best Regards,
  Amy

• How can I control the list of cipher suites offered in the SSL Client Hello message? I want to forbid MD5 and RC4.

  How can I control the list of cipher suites offered in the SSL Client Hello message?
  I want to limit my browser to negotiating strong cipher suites. I'd like to forbid DES, MD5 and RC4.

  Set the related SSL3 prefs to false on the about:config page (Filter: security.ssl3.).
  *http://kb.mozillazine.org/about:config

• Cisco Prime Infrastucture vulnerability SSL RC4 Cipher Suites Supported

  Hi All,
  I have a question on how to disable RC4 Cipher Suites Supported on Cisco Prime Infrastructure Platform.
  My Client have use Nessus Software to scan on prime. and found on below vulnerability
  SSL RC4 Cipher Suites Supported
  Cisco prime infrastructure deploy on latest 2.1
  we have gain the root access and modifier the ssl.conf and restart the service also unable to solve.
  /opt/CSCOlumos/httpd/ssl/backup/ssl.conf
  /opt/CSCOlumos/httpd/ssl/ssl.conf
  C:\Program Files\Tenable\Nessus>nessuscmd -v -p 443 -i 21643 192.168.1.55
  Starting nessuscmd 5.2.7
  Scanning '192.168.1.55'...
  Host 192.168.1.55 is up
  Discovered open port https (443/tcp) on 192.168.1.55
  [i] Plugin 21643 reported a result on port https (443/tcp) of 192.168.1.55
  + Results found on 192.168.1.55 :
     - Port https (443/tcp) is open
       [i] Plugin ID 21643
        | Here is the list of SSL ciphers supported by the remote server :
        | Each group is reported per SSL Version.
        | SSL Version : TLSv1
        |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
        |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
        | C(56)          Mac=SHA1
        |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=MD5
        |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=SHA1
        |
        | SSL Version : SSLv3
        |   Medium Strength Ciphers (>= 56-bit and < 112-bit key)
        |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
        | C(56)          Mac=SHA1
        |       DES-CBC-SHA                  Kx=RSA         Au=RSA      Enc=DES-C
        | C(56)          Mac=SHA1
        |   High Strength Ciphers (>= 112-bit key)
        |       EDH-RSA-DES-CBC3-SHA         Kx=DH          Au=RSA      Enc=3DES(
        | 68)            Mac=SHA1
        |       RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=MD5
        |       RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(1
        | 8)             Mac=SHA1
        | The fields above are :

  Hi ,
  "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
  CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
  Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
  Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• SSL Medium Strength Cipher Suites Supported vulnerability

  Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
  Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
  Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
  Can someone point me in the right direction on how to re-configure the switch to pass this test?
  Thanks
  Poirot

  I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
  I would suggest you to configure keys of 1024 on these switches and try again.
  I hope it helps.
  PK

• Dvd for adobe creative suite 5.5 web premium has set-up.exe for windows, but how to install on macbook?

  Hi,
  I have the dvd for adobe creative suite 5.5 web premium, I see a set-up.exe for windows, but how do I install this software on my macbook please?
  Thank you
  E

  You can't one way or the other. Serial numbers are platform specific and platform swaps only apply to current  versions, meaning you have to upgrade to CS6 and make the switch.
  Mylenium

• Set PC Suite password for privacy?

  Hello,
  I share my computer (Windows XP) with other people (family) and we use the same user account. One of the users has a Nokia phone (6300) and uses the PC suite to backup contacts and messags. But we can't find a way to restrict access to this data. Every user may access the PC Suite and browse the contacts (bad) and even messages (bad³).
  Is there a way to set a password for the PC suite?
  Thanks in advance,
  Dirk
  Solved!
  Go to Solution.

  I also experience this issue. This is not right. There should have been a facility to set password. I stay in a hostel and the whole hostel use my laptop. The whole softwares and games are installed in my account. And due to some reason I am not able to create other accounts in my system
  Come on there should be a password setting option in nokia pc suit
  Shanto Mathew

• SSL cipher suites with v3

  Any way to adjust which SSL cipher suites are used with the messaging agent on version 3 of messenger? There are a few that are not compatible with our firewall and we need to disable them. It's keeping iOS clients from connecting.

  Palo Alto Networks firewall. We enforce SSL decryption on all traffic and any suite that uses Diffie-Hellman key exchange isn't supported. Has to be RSA key exchange.
  Originally Posted by ahidalgo
  Which SSL cipher suites are not compatible with your firewall, just curious. Whose firewall are you using?
  Al
  On 2/27/2015 at 9:26 PM, jarrodholder<[email protected]> wrote:
  Any way to adjust which SSL cipher suites are used with the messaging
  agent on version 3 of messenger? There are a few that are not
  compatible with our firewall and we need to disable them. It's keeping
  iOS clients from connecting.
  jarrodholder
  jarrodholder's Profile: https://forums.novell.com/member.php?userid=1616
  View this thread: https://forums.novell.com/showthread.php?t=482111

• SSL and TLS Cipher Suites

  Hello,
  I am tying to use the SSLContext class in a nonblocking IO application with "TLS" protocol in Server mode.
  I am seeing a "no cipher suites in common" error message during the handshake.
  The Client is requesting for "TLS_RSA_WITH_RC4_128_MD5" but this cipher is not available (verified from the list returned by SSLEngine.getSupportedCipherSuites()).
  I have the following questions.
  1> Are SSL_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_MD5 the same?
  2>Is it possible for me to register TLS_RSA_WITH_RC4_128_MD5 as an alias for SSL_RSA_WITH_RC4_128_MD5?
  3> How can I get the Server to recognize TLS_RSA_WITH_RC4_128_MD5?
  Thanks,
  arun.

  Hello,
  I am tying to use the SSLContext class in
  a nonblocking IO application with "TLS" protocol in
  Server mode.
  I am seeing a "no cipher suites in common" error
  message during the handshake.
  The Client is requesting for
  "TLS_RSA_WITH_RC4_128_MD5" but this cipher is not
  available (verified from the list returned by
  SSLEngine.getSupportedCipherSuites()).
  I have the following questions.
  1> Are SSL_RSA_WITH_RC4_128_MD5 and
  TLS_RSA_WITH_RC4_128_MD5 the same?Yes
  2>Is it possible for me to register
  TLS_RSA_WITH_RC4_128_MD5 as an alias for
  SSL_RSA_WITH_RC4_128_MD5?Shouldn't be necessary, as they are compared by RFC2246 value, not by name.
  3> How can I get the Server to recognize
  TLS_RSA_WITH_RC4_128_MD5?Do the client and server both create their SSLContexts with "TLS". Do either of them modify the enabled cipher suites? Does the server have an RSA certificate?

• How to set the Certifcate to use for SSL when more than one available?

  I apologise for bad wording of question.
  We have a 11g Directory Server and when we created the directory instance it generated a self-signed certificate. very nice.
  We have recently requested and installed a CA signed certifcate, so we now have TWO certificates in the directory certificate store. Default Certificate and the new Server-Cert (the CA signed one)
  LDAP clients STILL seem to be presented with the self-sgned certificate though.
  Simple question... how do I make my Server-Cert the 'default' certificate presented to LDAP clients ???
  I would rather not delete the self-signed cert if possible.
  I cant find any documented method to achieve this.

  # Listing Certificate
  $ /certutil -L -d <path>/slapd-abc/alias -P slapd-
  # Add Trust by adding CT
  $ certutil -M -n "GeoTrust DV SSL CA" -t CT,, -d <path>/slapd-abc/alias -P slapd-
  # Verify the setup.
  $ certutil -L -d <path>/slapd-abc/alias -P slapd-
  ( You should see the CT beside the relevant cerficate, making it default for SSL communication )
  GeoTrust DV SSL CA CT,,
  Link : http://docs.oracle.com/cd/E19656-01/821-1504/6nmg10b6g/index.html ( Look around for different steps for configuring SSL )
  JPrince