Skip to main content

SSL: CipherSuites in Glassfish 3.0.1 -only *128* and no *256* CipherSuites?

5 replies [Last post]
nabizamani
Offline
Joined: 2005-05-08
Points: 0

Hi,

I have downloaded and installed Glassfish 3.0.1 and so far I am glad it work all almost as I expected...

What I have done so far is using the keytool to generate an own key for https usage instead of using the standard key from oracle (alias: "s1as"). I have used the following command:

keytool -keysize 2048 -genkey -alias myalias -keyalg RSA -dname "CN=mycn,O=myo,L=myl,S=mys,C=myc" -validity 3650 -keypass changeit -storepass changeit -keystore keystore.jks

This all worked fine. And I did not even have to restart Glassfish:
when I called https://localhost:4848 it took automatically the new key even though I did not change anyhing in the configuration by using admin console (==> setting was still "s1as").

Question 1: Why did Glassfish automatically took my new key?

Anyway... I continued and changed "s1as" in admin console to "myalias", which references the key I generated (see above). Then I saw that there are some "CipherSuites" section within the SSL tabs of my http-listener2 and the others. What I see there is:


TLS_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

What does this exactly mean???
Are only 256 bit CipherSuites supported or what?
Remember I created a 2048 bit key, which does not seem to be a problem for Glassfish (because I saw no errors/exceptions/warnings).

Thanks in advance,
Nabi

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
nabizamani
Offline
Joined: 2005-05-08
Points: 0

Well, it seems nobody knows or nobody wants let me know.

This Question is still unanswered, so please help...

hiro2k
Offline
Joined: 2010-02-15
Points: 0

Go here http://java.sun.com/javase/downloads/index.jsp and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 at the bottom of the page.

That should allow you to use the 256bit cipher suites, however I don't think it will show up in GlassFish. You just have to trust that SSL will negotiate with the client and use the strongest suite that they both have installed.

nabizamani
Offline
Joined: 2005-05-08
Points: 0

Hi,

well, I did that. But in the meanwhile I have also downloadad glassfish yesterday again and made a new install. I am not sure, but somehow I feel that the download from yesterday works better than the download from june... anyways, here is my status after changing to the unlimited strength JCE:

[b]http-listener-2 / admin-listener:[/b]

[b]SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA[/b]

This is quiet different to what I had previously. But still I don't know how to add other ciphers.
So the questions now are:

1. What do these entries (see above) exactly mean (i.e. 256bit or 256byte?)?
2. Does Glassfish support adding custom ciphers?
3. What is the maximum cipher strength that is possible in glassfish and how can I activate/install it?

Thanks,
Nabi

Message was edited by: nabizamani

Message was edited by: nabizamani

nabizamani
Offline
Joined: 2005-05-08
Points: 0

Does nobody know the answer(s)?

nabizamani
Offline
Joined: 2005-05-08
Points: 0

hey netbeans guys - where are you??