New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add permission check for RC4 encryption with 160 bits key and otherwise default to wireCrypt=DISABLED instead of ENABLED [JDBC546] #579
Comments
Commented by: @mrotteveel Only backport to 3.0.x if simple to do. |
Modified by: @mrotteveelFix Version: Jaybird 4 [ 10441 ] |
Modified by: @mrotteveeldescription: See JDBC543. Investigate if it is possible to check if we can use RC4/ARCFOUR with 160 bits encryption and if not default to wireCrypt DISABLED (eg if the limited cryptographic jurisdiction policy is used). => See JDBC543. Investigate if it is possible to check if we can use RC4/ARCFOUR with 160 bits key and if not default to wireCrypt DISABLED (eg if the limited cryptographic jurisdiction policy is used). |
Modified by: @mrotteveel |
Commented by: @mrotteveel See https://stackoverflow.com/questions/7953567/checking-if-unlimited-cryptography-is-available for a possible direction for a solution. |
Commented by: @mrotteveel Note that the connection doesn't actually fail (unless wireCrypt=REQUIRED), it just logs warnings on each connect. We may also want to consider to reduce the logging in some way (eg only log the stacktrace on WARN the first time, and the remainder on DEBUG) |
Commented by: @mrotteveel Checking for 160 bits key length support will tie this intimately to current SRP session key length, but anticipating different session key lengths (which may or may not ever happen), will make this more complex. I'm not sure what the right solution is yet. |
Commented by: @mrotteveel Decide to delay this to wait for multiple wire crypt plugins to see what a good solution would be. |
Decided not to do this |
Submitted by: @mrotteveel
Is related to JDBC543
See JDBC543. Investigate if it is possible to check if we can use RC4/ARCFOUR with 160 bits key and if not default to wireCrypt DISABLED (eg if the limited cryptographic jurisdiction policy is used).
The text was updated successfully, but these errors were encountered: