The current task I've been working on is to obtain the cipher suites that is currently used by a server.
I have been using WinHTTP and I haven't found anything related to cipher suites in this library.
Is there any way to do this? Just need to know whether it is possible through C++
Related
I am running Hazelcast as a cache service, it seems I can improve perf with BoringSSL and this is simpler because I don't need to install additional software
Reading their doc: https://docs.hazelcast.com/imdg/4.1.2/security/integrating-openssl.html
I see that I just need two jars, but I don't see any mention of config settings. Do I just use the Java SSL settings with BasicSSLContextFactory?
I see I can use com.hazelcast.nio.ssl.BasicSSLContextFactory as mentioned here https://docs.hazelcast.com/imdg/4.1.2/security/tls-ssl.html#tlsssl-for-hazelcast-members for the Java SSL implementation
They also provide com.hazelcast.nio.ssl.OpenSSLEngineFactory for OpenSSL integration (https://docs.hazelcast.com/imdg/4.1.2/security/integrating-openssl.html#using-openssl)
BoringSSL is the library to use OpenSSL. So this link is a good source. However, if you not bound to the old Java versions, then nowadays Java TLS is faster than OpenSSL, so no need for BoringSSL.
Since SSL is a Hazelcast Enterprise feature, feel free to raise a Hazelcast Zendesk Ticket if you need some more detailed help.
Starting with Hazelcast version 4.0, there is the following logic deciding which TLS engine is used:
when Java version<11 and a netty-tcnative package (wrapping OpenSSL, BoringSSL, ...) is on the classpath: Use the OpenSSLEngineFactory;
in all other cases: Use the BasicSSLContextFactory.
Surely, you don't need to use the defaults, but you can specify the factory-class-name configuration attribute with the factory of your choice.
You can use the same properties in OpenSSLEngineFactory like the ones in BasicSSLContextFactory (e.g. keyStore*, trustStore*). Nevertheless, the native way of configuring the OpenSSLEngineFactory is by using keyFile and other properties mentioned in the documentation section about OpenSSL.
Why the Java 11 check
As mentioned above, the OpenSSLEngineFactory is not used for Java 11 and newer by default. This decision was based on Hazelcast performance testing which shows OpenSSL performance benefits when used with Java 8, but not with Java 11 (or newer).
Here are throughput graphs from those tests (performed in 2019).
TLSv1.2
TLSv1.3
We have an web app in Java for GlasFish server, we set cipher to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but IE11 wont open a page at all, saying we need to enalbe TLS 1.0, 1.1 and 1.2
These were enabled in Advanced settings but still no luck. Installed Chrome and it opened a page with no problem.
Trying to open the same page using IE11 from Windows 8.1 gave no problem, too.
Tried to disable Enhanced Security for IE on ser
Any hints, please?
Cipher support differs between browsers and operating systems and new ciphers also sometimes get added with patches. To get an overview which ciphers are probably supported by a specific system have a look at SSLLabs.
In any case it is recommended that you are using a set of secure ciphers to support the variety of systems and that you don't restrict yourself to a single cipher, especially an advanced and TLS 1.2 only cipher like the one you have chosen.
A little while ago we received an email from the Azure Team regarding an upcoming TLS/SSL cipher suit update, kicking in after July 18th with the following instruction:
You can check whether the clients that access your web apps will still function correctly by testing them against https://testsslclient.trafficmanager.net/. Your client is compatible if you receive a 200 HTTP status—the page will display a “SSL client test complete!” message.
After testing our standard clients it looks like IE7 and IE8 fail the test on XP SP3 (Chrome still works).
Does anybody else have results of what clients are expected to fail? (It would have been nice if the Azure Team would have provided a list of expected incompatibilities).
Also: the test page uses an SHA2 certificate. We are still using SHA1 on some sites, due to be updated eventually. Does anybody know if the update will have any impact on SHA1 certificates?
Related link
Yes, XPSP3 IE 7/8 will fail because they don't support any of the ciphers that will be on the updated list. I don't think we have a list of clients that will / will not work, because the list is quite large ... you have to worry about embedded devices like PoS terminals etc, and not just browsers.
SHA-1 certificates will still be supported in Azure WebApps, although some browsers like Chrome will complain about obsolete cryptography etc.
We have repeated our tests today and IE7 and IE8 on XPSP3 now pass the client test at https://testsslclient.trafficmanager.net.
We assume the implementation of the TLS/SSL cipher suit has been updated to allow for this now...
I'm trying to add SNI to my client-side program (C/C++) that uses Microsoft SDK's Schannel API for TLS.
I've searched everywhere but could not find any documentation on how Schannel supports SNI extension.
I looked up the documentation for AcquireCredentialsHandle(), InitializeSecurityContext() but no success.
So, could anyone please help me with some example code?
The SNI is specified as part of the ClientHello, which is generated by InitializeSecurityContext(). Specficially, Schannel uses the 3rd parameter of that function for certificate validation, as well, as SNI; but not all versions of Windows support TLS extensions (which includes SNI).
TLS Extensions were first introduced in Internet Explorer 7 beta 3 on Windows Vista. Plus, even if your operating system supports it, TLS will likely be turned off, by default.
There is a working example on CodeProject that shows SNI from the client and server side.
I recently added a cipher to the FreeBSD Crypto kernel module, but i am having trouble testing it from the application layer and verifying that it works.
I managed to add my cipher and compile the kernel successfully, but i want to use my cipher in the application layer. How can i write a small program to use this new cipher ?
The API is described in crypto(9).