OneSwarm icon indicating copy to clipboard operation
OneSwarm copied to clipboard
verified publisher icon CSEMike

ECDHE_RSA keyexchange

Open isdal opened this issue 14 years ago • 0 comments

Enforce the use of TLS 1.2 with key exchange with forward secrecy.

Notes: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#AlgorithmConstraints http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLContext http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#SSLParameters

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms

ECDHE_RSA for keyex is good but any DH or DHE RSA should do with a mod of 1024 - 4096; for ciphers you want AES_265_CBC

check out page 54: http://www.ietf.org/rfc/rfc2246.txt

Don't forget to totally disable reneg as you can't be sure that the peer does it correctly unless you have secure reneg support.

In an ideal world, I'd suggest TLS 1.2 if possible.

http://srcrr.org/java/bouncycastle/bouncycastle/1.46/reference/org/bouncycastle/crypto/tls/KeyExchangeAlgorithm.html#DHE_RSA

isdal avatar Jan 10 '12 01:01 isdal