Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add permission check for RC4 encryption with 160 bits key and otherwise default to wireCrypt=DISABLED instead of ENABLED [JDBC546] #579

Closed
firebird-automations opened this issue Aug 22, 2018 · 10 comments

Comments

@firebird-automations
Copy link

Submitted by: @mrotteveel

Is related to JDBC543

See JDBC543. Investigate if it is possible to check if we can use RC4/ARCFOUR with 160 bits key and if not default to wireCrypt DISABLED (eg if the limited cryptographic jurisdiction policy is used).

@firebird-automations
Copy link
Author

Commented by: @mrotteveel

Only backport to 3.0.x if simple to do.

@firebird-automations
Copy link
Author

Modified by: @mrotteveel

Fix Version: Jaybird 4 [ 10441 ]

@firebird-automations
Copy link
Author

Modified by: @mrotteveel

description: See JDBC543. Investigate if it is possible to check if we can use RC4/ARCFOUR with 160 bits encryption and if not default to wireCrypt DISABLED (eg if the limited cryptographic jurisdiction policy is used). => See JDBC543. Investigate if it is possible to check if we can use RC4/ARCFOUR with 160 bits key and if not default to wireCrypt DISABLED (eg if the limited cryptographic jurisdiction policy is used).

@firebird-automations
Copy link
Author

Modified by: @mrotteveel

Link: This issue is related to JDBC543 [ JDBC543 ]

@firebird-automations
Copy link
Author

Commented by: @mrotteveel

See https://stackoverflow.com/questions/7953567/checking-if-unlimited-cryptography-is-available for a possible direction for a solution.

@firebird-automations
Copy link
Author

Commented by: @mrotteveel

Note that the connection doesn't actually fail (unless wireCrypt=REQUIRED), it just logs warnings on each connect. We may also want to consider to reduce the logging in some way (eg only log the stacktrace on WARN the first time, and the remainder on DEBUG)

@firebird-automations
Copy link
Author

Commented by: @mrotteveel

Checking for 160 bits key length support will tie this intimately to current SRP session key length, but anticipating different session key lengths (which may or may not ever happen), will make this more complex. I'm not sure what the right solution is yet.

@firebird-automations
Copy link
Author

Commented by: @mrotteveel

Decide to delay this to wait for multiple wire crypt plugins to see what a good solution would be.

@firebird-automations
Copy link
Author

Modified by: @mrotteveel

Fix Version: Jaybird 5 [ 10871 ]

Fix Version: Jaybird 4 [ 10441 ] =>

@mrotteveel
Copy link
Member

Decided not to do this

@mrotteveel mrotteveel closed this as not planned Won't fix, can't repro, duplicate, stale Aug 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment