[Feature request] Ability to define custom cipherSuite. #1693
Comments
|
I tried rewriting |
|
Yes, don't use the maven I haven't fully tested that, but I guess you will find out, if it works for you. |
|
About |
|
Just if you're interested, you may try to contribute it (to 3.x). |
|
@boaks I will try to submit a mr in this month. If we are going to allow user to define custom cipherSuite, we can no longer use enum to manage cipherSuite. If that's is acceptable, I will try to implement it. But for sure I can't allow everything to be customized, maybe in the end only the certificate is customizable (key_exchange is too much for me). |
|
And may I add a rsa cipherSuite to 2.6? |
Therefore I would not go to support "custom cipherSuite"! You either adapt it for your own implementation and build it on your own (other groupid), or you try to contribute the changes. |
To add function would require a review. |
|
@boaks My company has very strict security policy, I am not allowed to download opensource code and built my own variant. And we can't use not-yet-stable releases.
|
Sorry, to make the cipher suite customizable seems for me to be too much! That includes in my opinion to declare a lot of the API to be public (and so to be kept stable). What I was considering is, that, if your changes are not that complex, and rather good tested, that it may get included in Californium.
You need to adapt the key_echange, because ECDSA_ECDHE is based on ECDSA. if you want to use RSA (server certificate), you need to adapt the key_exchange. If it's only intended for the client side, that may be easier (and doesn't require to use new cipher suites at all). |
|
Thanks your your reply. |
|
That seems for me to go in the wrong direction!
Though I'm not able to "grant" ahead, that your work will be merged, the only way for your company is exactly to allow you to modify Californium on your own responsibility! If your company has some legal concerns, let me try to explain, that the eclipse license is exactly granting you that use. If some of the legal department in your company has doubts about that, they may contact the eclipse foundation to proof that. if some help is needed for that, let me know. If this is for security/cryptography reasons, then I don't understand that either. Please also read the license carefully, especially "5. NO WARRANTY". If the consideration is, that we/I will spend a lot of time in a review or do security checks, let me say, that's not my plan. The only thing which is possible, is that if the code doesn't change too much other stuff, we can include it.
If it passes the review, yes. Please ensure, that your company agrees on your contribution and you can sign a ECA. Read CONTRIBUTING . |
|
@boaks I will try to submit a mr first. Using custom build means a lots of paperwork and explaination with dozens of people and I am not confidient that I can persuade everyone of them... |
|
You will need a ECA . That will also require that your company agrees on your work! |
|
@boaks Understood, already signed the ECA. |
|
Any progress? |
|
@boaks Working on that, past two weeks has been too busy. I'm still trying to upgrade leshan to lastest version (but it seems only compactible with californiumn 2.6.3. I doubt that even with the latest leshan I can't use californiumn 3.x). |
Ahh, I overseen that! My bad, sorry ... Over that last months I prepared some PRs in order to migrate leshan to Californium 3.0. With that, the current leshan master works with Californium 3.0.0-M4 (before the Configuration redesign). That Configuration Redesign turned at to require more discussions, than I expected (and to be frank, I'm able and willing to spend.) Just in the case your interested, see issue: According your work: Just in the case you decide to go with the Leshan PR and Californium master, please tell me. I stopped my work on that PR also waiting for the final decision. If you want to apply your work on the top of that PR and Californium master, then I would update that PR to my latest local working state, |
|
Let me add: This discussion, mainly about static field for defaults, is currently blocking the Californium Release. We will see, if mid of October is still realistic or not. I guess, you will require also a Leshan release. |
Just to add some precisions : More concerns are listed than the static vs dynamic question. (maybe some are already fixed, I don't check recently)
One of the possibility to not block the release was proposed by you (and I was agree with that):
(from eclipse-leshan/leshan#1073 (comment)) So I would say that past choice and several discussions are blocking the Californium release. |
|
@boaks Thanks a lot, I will try leshan master. As to the configuration redesgin I actully comfortable with simple setter method....BTW, kafka has similiar mechanism and loading in static block doesn't seems to bother them (see |
|
Just, if your interested in express your opinion and preferences, please read issue #1709. I closed the voting, because I didn't expect more interest and there are/have been jobs to be done depending on that outcome. For me it will be OK, if you indicate your interests even now. I don't know, what the outcome will be and who will then have the time to work on it. I will be next weeks in vacation and after that I'm sure, we will find a way. |
Great, if you then prepare a PR for Californium, please use the "3.0.0-M3.x" branch. That will make it easier for you. |
|
Thanks for your vote! Would it be possible for you, to write a comment? I don't want to influence you too much, but for us it's important, if you vote, just because
|
I agree
I'm not sure about that at least I didn't find it at (SslConfigs.java)
At first sight, I see any of the concerns I raised for californium in the kafka code but maybe I missed something. So there is maybe a misunderstanding, the issue is not about using static field for each definition, this is about the registration in static block. (e.g. here) |
|
That's the result of my first experience with that new Configuration API. With that, a module is register once with the first usage in the "DEFAULT MODULES". It's hard to see for me, why someone has good reason to use this class, if it is not intended to be used for Configuration. Sure, there are some practice out in the wild, which want to ensure, the something is not in use and therefore use it. But that seems for me to be not that relevant. I try to improve the javadoc of the Configuration in PR #1734. (And I'm still on it). |
|
|
@boaks I don't want to use it, just tested it because I happens to have one ed25519 cert. It works before this commit when null return of |
|
Sorry, sometimes a bugfix also cause unclear situations to fail. I added PR #1740 to demonstrate, that You mainly use a combination java8 + BC, which is not considered by Californium. |
|
In other word, if the implementation doesn't really negotiate, that ed25519 is supported on both sides, and just send the cert, and both sides support it without negotiation, then it seems to work ... but that's more by random, than by design. |
|
@boaks Thank you, I failed to notice |
I don't really agree because :
That sounds very different too me. Anyway, recent events made that I decided to not take part anymore about this kind of question on Californium. |
|
@sbernard31 I understand, it's normal that people don't agree with codeing style of each other. For me the only principle of good code is "Easy to read/maintain and hard to introduce bug when extend/modify." For example I merged vo/po of my company's project and use "jackson/javax.persistence" annotation to determine how they interact with db and serialization. And I removed most interface of service layer since they does nothing but added the cost of maintainance(it's rare for bussiness code to have two different implementation.). Those are seriously disagree by my collages. But util now they works perfectly fine. |
|
Should we move the design discussion to issue #1709 ? Maybe other will be interested and that may be then a better base to decide, in which way we go in the mid-future? (Or a new issue?) |
|
Just as PoC, BC and ED25519, see PR #1741. Please retest with the setup demonstrated there. With that setup, java 8 + BC, Ed25519 should work. At least in the interoperability tests, it was working. (Currently not all unit-test are successful with that setup, but the add sig-alg is working.) |
You're right that this is not the right place. Sorry about that. |
|
I guess, #1708 will do it. |
|
I finally succeeded to run the unit tests also with BC. See PR #1742 Use the profile bc-tests to run the unit-tests in scandium and the interoperability tests with bouncy castle. |
|
@boaks I succeed to use a rsa certificate in my local setup. The changes are actully quite small. I will submit a mr in the follwoing weeks(adding some test cases and polishing my code). Do we need to check whether EC cert support selected curves? For ECDHE the keys are generated on the fly so I think it's not related to cert key. |
I'm not sure, what you mean: EC is used for two things: The supported curves are negotiated for both. If ECDSA is not used, then for ECDHE.
Even if that refers specially to ECDHE_ECDSA, it specifies, that the extension must be considered in both cases. Anyway, I'm not sure, why introducing RSA should be related to the curves for ECDHE? Sure, some checks, also in the dtls-configuration, which assume "ECDHE_ECDSA" key exchanges, must be adapted to the RSA variant. |
|
Add spend some more time in an experimental bouncy castle support. |
|
Doing some final pollish, I stumbled over the logging: BC is using JUL. Therefore PR #1811 adds a jul2slf4j2 bridge (only) on loading BC. If possible, please check, if that works for you. |
|
@boaks Sorry for the late response. I will test that now. I didn't login to github yesterday. |
|
:-) you're welcome. the 3.0.0 is in the meantime available in maven central and the eclipse repositories. Hope it works, otherwise the fix will go in 3.0.1. |
|
@boaks I tested with log4j configuration: Unfortunately no log was printed while doing a handshake or server startup. Neither anything reached |
|
All basic function are fine. And |
|
I'm not sure, if DTLS (using the JCE) use jul for logging. I mainly get aware of it, when I extended the BC support to TLS/netty.io (JSSE). Did you get logging messages before? |
|
@boaks I searched bcprov-jdk15on-1.69.jar(the only dependency of bouncycastle jar in my project). There was not a single line of log. So DTLS won't have any problem. |
|
Cool, so nothing to fix :-). |
Our whole certificate chain is RSA and it's kind of impossible to push our client to give us a EDDSA certificate. I searched issues of this repo and I got #517 . I know there's no point for implementing RSA support in this library, but it would be nice if we can offer our own implementation in our project.
The text was updated successfully, but these errors were encountered: