im working with nestjs, and want to set min tls version as 1.3.
found in the node tls documention (https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)
about the max / min version properties.
how do i set these options for my nest server.
Related
After upgrading Quarkus from 1.x to 2.x it is no longer possible to use websocket with Apache MyFaces (2.3-next-M6).
The browser-console shows an error like
jsf.js.xhtml?ln=javax.faces:1 WebSocket connection to 'wss://some.url/javax.faces.push/some_channel?c12dbb48ce8b67f89f550dc9d32451bd' failed
Quarkus startup-log shows the message
(Quarkus Main Thread) f:websocket support enabled but cannot found websocket ServerContainer instance on current context.
Any ideas how to get websockets working with Quarkus2 and MyFaces?
We'd like to confirm if the nano#6.2.0 can connect with TLS 1.2+ to the Cloudant database even after June 1, 2019.
As per the IBM Cloudant announcement: https://www.ibm.com/cloud/blog/announcements/ibm-cloudant-security-update-tls-1-2-and-service-endpoints, starting on June 1, 2019, the IBM Cloudant API will require Transport Layer Security (TLS) 1.2 and above. The IBM Cloudant API requires HTTPS and currently supports TLS 1.0 and above.
IBM Cloud Node-Red Stater (Node.js version: v8.15.1) uses nano#6.2.0 to connect to its backend Cloudant database to manage the Node-Red Flow.
https://www.npmjs.com/package/nano/v/6.2.0
.../nodered-starter../blob/master/index.js
Line 36: storage.init(settings)....
.../nodered-starter../blob/master/couchstorage.js
Line 73-76:
var couchstorage = {
init: function(_settings) {
settings = _settings;
var couchDb = nano(settings.couchUrl);
...settings.couchUrl is like:
https://username:password#abcd1234-bluemix.cloudant.com
About the IBM Cloud Node-Red Starter: https://cloud.ibm.com/catalog/starters/node-red-starter
Similarly to nodejs-cloudant this will depend on the version of Node.js and OpenSSL installed. It is independent of the version of Apache CouchDB Nano.
OpenSSL has supported TLSv1.2 since 1.0.1 in March 2012. From this blog it appears the version of OpenSSL in Node.js 8.15.1 is 1.0.2r so it should work fine.
I'm facing a problem with a Jboss server and the https connector, running on Java 6.
I want to make my server using only TLSv1.2 and using the cipher suites "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" for decoding the certificate.
I know that Java 6 does not support TLSv1.2, but I added the Bouncy Castle JCE and JSSE provider to the JDK (https://www.bouncycastle.org/latest_releases.html) :
Added the JARs files (bcprov-jdk15on-159.jar and bctls-jdk15on-159.jar) in path_to_jdk/jre/lib/ext folder
Edited file path_to_jdk/jre/lib/security/java.security to add lines :
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
security.provider.11=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
The java instruction : SSLContext.getInstance("TLSv1.2"); does not throw a NoSuchAlgorithmException anymore if I test it on a small test class.
On Jboss :
Edited file path_to_jboss/server/default/deploy/jbossweb.sar/server.xml to have :
< Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/jboss.pfx"
keystorePass="password" sslProtocols="TLSv1.2" maxThreads="170"/>
After that, jboss is still providing only SSLv3 and TLSv1 protocols for https connection.
Any solution ?
Thanks
I believe the 'sslProtocols' attribute translates to a call to SSLParameters.setProtocols (later given effect by SSLSocket.setParameters), and doesn't affect the SSLContext.getInstance call. So you are still getting a SunJSSE SSLContext because you added BCJSSE at lower priority.
I suggest moving the BouncyCastleJsseProvider entry in java.security to a higher priority (than com.sun.net.ssl.internal.ssl.Provider).
Also in java.security you will need to set the default KMF type from SunX509 to PKIX (change the existing entry):
ssl.KeyManagerFactory.algorithm=PKIX
This is because BCJSSE currently only works with its own KMF implementation.
I am trying to hit a webservice which supports TLSv1.2. I am using Java 1.4. It does not support TLSv1.2.
Now someone told me that BC could solve my problem.
Though does it work with a SSLEngine as drop in replacement somehow?
Is this possible with BC?
What do I have to do to get a working SSLEngine (for use with TLSv1 in a
nonblocking io scenario) without such low restrictions on primesize for DH.
What I tried:
Security.addProvider(new BouncyCastleProvider());
This alone seems not to solve the problem.
So instead of
SSLContext.getInstance("TLSv1"); //which works alas only little DH keys.
I tried calling the following:
SSLContext.getInstance("TLSv1","BC");
SSLContext.getInstance("TLS","BC");
SSLContext.getInstance("TLSv1.2","BC");
SSLContext.getInstance("ssl","BC");
Though all of them throws NoSuchAlgorithmException.
I could solve this by using bctls lib, but unfortunatelly it doesn't seem to have a version for Java 1.4.
The only version that I could find in Bouncy Castle's website and in Mvn Repository is bctls-jdk15on-157 (for Java >= 1.5).
Anyway, if an upgrade of your Java version is possible, you just need to add this jar to your project and use the org.bouncycastle.jsse.provider.BouncyCastleJsseProvider class (I've used Java 1.7 for this test):
// add the JSSE provider
Security.addProvider(new BouncyCastleJsseProvider());
// tests
SSLContext.getInstance("TLSv1.1", BouncyCastleJsseProvider.PROVIDER_NAME);
SSLContext.getInstance("TLSv1.2", BouncyCastleJsseProvider.PROVIDER_NAME);
SSLContext.getInstance("TLSv1", BouncyCastleJsseProvider.PROVIDER_NAME);
All tests above run without error.
Checking all the SSL protocols supported:
SSLContext context = SSLContext.getInstance("TLSv1", BouncyCastleJsseProvider.PROVIDER_NAME);
System.out.println(Arrays.toString(context.getSupportedSSLParameters().getProtocols())); // [TLSv1.1, TLSv1, TLSv1.2]
The output is:
[TLSv1.1, TLSv1, TLSv1.2]
I'm wondering if com.datastax.cassandra:cassandra-driver-core:2.0.0-beta2 can be used with org.apache.cassandra:cassandra-all:1.2.1. I'm using cassandra-maven-plugin:1.2.1-1 (which uses org.apache.cassandra:cassandra-all:1.2.1), adding
start_native_transport: true
native_transport_port: ${cassandra.nativePort}
to the yaml plugin property. I can telnet to the port successfully.
However, when I attempt to connect via the following code,
// Ports.NATIVE has the same value as "${cassandra.nativePort}" above
Cluster cluster = Cluster.builder().addContactPoint("127.0.0.1")
.withPort(Ports.NATIVE).build();
Session session = cluster.connect();
I get the following exception:
com.datastax.driver.core.exceptions.NoHostAvailableException: All host(s) tried for query failed (tried: /127.0.0.1 (com.datastax.driver.core.ConnectionException: [/127.0.0.1] Unexpected error during transport initialization (com.datastax.driver.core.TransportException: [/127.0.0.1] Unexpected exception triggered (com.datastax.driver.core.exceptions.DriverInternalError: Server response from unsupported protocol version: 1))))
at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:179)
at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:77)
at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:868)
at com.datastax.driver.core.Cluster$Manager.newSession(Cluster.java:888)
at com.datastax.driver.core.Cluster$Manager.access$200(Cluster.java:792)
at com.datastax.driver.core.Cluster.connect(Cluster.java:155)
I think the crux of it is Server response from unsupported protocol version: 1.
Does this mean that the 2.0.0-beta2 driver can't be used with Cassandra 1.2.1? Where is the driver/server compatibility matrix?
I've already burned almost a day on this.
Thanks,
Matthew
Yes, it's incompatible. From the java-driver 2.0 requirements:
The driver uses Casandra's native protocol, and this version 2.0 uses the second version of that protocol. As such, this version of the driver requires a version of Cassandra greater than or equal to 2.0 (for Cassandra 1.2 please use the version 1.0 of the driver).
Try downgrading to 1.0, latest version is 1.0.4:
<dependency>
<groupId>com.datastax.cassandra</groupId>
<artifactId>cassandra-driver-parent</artifactId>
<version>1.0.4</version>
</dependency>
The default protocol level for driver version 2.0 or above is 2. To work with older version of Cassandra (e.g. 1.2) the protocol level needs to be set to 1.
The protocol version can be set on newer drivers using Cluster.withProtocolVersion method like
Cluster cluster = Cluster.builder().addContactPoint("127.0.0.1").withProtocolVersion(1)
.withPort(Ports.NATIVE).build();