1 Reply Latest reply on Mar 31, 2011 12:58 PM by 851040

    Additional cipher being added to the list of enabled ciphers

    851040
      Hi,

      The following code below sets the list of enabled ciphers for the TLS negotiation:

      this.tlsResponse = (StartTlsResponse) ((InitialLdapContext) ctx).extendedOperation(new StartTlsRequest());
      this.tlsResponse.setEnabledCipherSuites(JNDIBroker.FIPS_APPROVED_CIPHER_LIST);
      ....
      ....
      ....
      SSLSession sess = this.tlsResponse.negotiate(factory);

      where FIPS_APPROVED_CIPHER_LIST is defined as:
      private static final String[] FIPS_APPROVED_CIPHER_LIST = new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA",
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
      "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" };

      But when I do a packet trace (using wireshark) of the handshake between my client and the LDAP server, I see the list of supported ciphers offered by the client includes:

      Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)

      which is not in the list of enabled ciphers that I specified for the handshake. I notice that this gratuitous cipher is added whenever I enable the "SSL_RSA_WITH_3DES_EDE_CBC_SHA" cipher.

      Any idea why this is happening?

      Thanks in advance.