Re: [jetty-users] keystore

[Joakim Erdfelt <joakim@xxxxxxxxxxx>]

Also, read and understand the linked to issue at the IBM side for TLS (from the prior message)

https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html

The IBM JVM does not apparently follow the OpenJDK standard naming of things (which dozens of other alternate JVMs do), that article tells you how to correct the startup of your IBM JVM to address that as well.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:

Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...

Sent from my Samsung Galaxy smartphone.

-------- Original message --------

From: Lothar Kimmeringer <job@xxxxxxxxxxxxxx>

Date: 3/14/18 17:36 (GMT+01:00)

To: jetty-users@xxxxxxxxxxx

Subject: Re: [jetty-users] keystore

Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

> * The IBM JVM is not sane, look into its cipher suites and protocols.
>
> A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_RSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
  SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
  SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users