New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for ECDSA private keys to KeyUtil #2641

Merged
merged 1 commit into from Aug 10, 2016

Conversation

Projects
None yet
2 participants
@joschi
Contributor

joschi commented Aug 9, 2016

Closes #2454

@joschi

This comment has been minimized.

Contributor

joschi commented Aug 9, 2016

Results of SSLScan

RSA on Grizzly (Graylog REST API)

$ sslscan 127.0.0.1:12900
Version: 1.11.6
OpenSSL 1.0.2h  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server 127.0.0.1 on port 12900

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.2  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA
Preferred TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.1  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.1  112 bits  DES-CBC3-SHA
Preferred TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.0  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  Test Case
Issuer:   Test Case

Not valid before: Aug 16 09:19:27 2015 GMT
Not valid after:  Aug 15 09:19:27 2016 GMT

DSA on Grizzly (Graylog REST API)

$ sslscan 127.0.0.1:12900
Version: 1.11.6
OpenSSL 1.0.2h  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server 127.0.0.1 on port 12900

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  DHE-DSS-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-DSS-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-DSS-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  112 bits  EDH-DSS-DES-CBC3-SHA          DHE 1024 bits

  SSL Certificate:
Signature Algorithm: dsa_with_SHA256
Subject:  Test Case
Issuer:   Test Case

Not valid before: Jul 20 09:50:51 2016 GMT
Not valid after:  Aug 19 09:50:51 2016 GMT

ECDSA on Grizzly (Graylog REST API)

$ sslscan 127.0.0.1:12900
Version: 1.11.6
OpenSSL 1.0.2h  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server 127.0.0.1 on port 12900

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA256     Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDH-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDH-RSA-AES128-SHA256
Accepted  TLSv1.2  128 bits  ECDH-ECDSA-AES128-SHA256
Accepted  TLSv1.2  128 bits  ECDH-RSA-AES128-SHA
Accepted  TLSv1.2  128 bits  ECDH-ECDSA-AES128-SHA
Accepted  TLSv1.2  112 bits  ECDHE-ECDSA-DES-CBC3-SHA      Curve P-256 DHE 256
Accepted  TLSv1.2  112 bits  ECDH-RSA-DES-CBC3-SHA
Accepted  TLSv1.2  112 bits  ECDH-ECDSA-DES-CBC3-SHA
Preferred TLSv1.1  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256 DHE 256
Preferred TLSv1.0  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256 DHE 256

  SSL Certificate:
Signature Algorithm: ecdsa-with-SHA1
Subject:  Test Case
Issuer:   Test Case

Not valid before: Aug  9 09:23:09 2016 GMT
Not valid after:  Aug  7 09:23:09 2026 GMT

RSA on Netty 3.10.x

$ sslscan 127.0.0.1:55442
Version: 1.11.6
OpenSSL 1.0.2h  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server 127.0.0.1 on port 55442

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.2  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA
Preferred TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.1  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.1  112 bits  DES-CBC3-SHA
Preferred TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  112 bits  ECDHE-RSA-DES-CBC3-SHA        Curve P-256 DHE 256
Accepted  TLSv1.0  112 bits  EDH-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  Test Case
Issuer:   Test Case

Not valid before: Aug 16 09:19:27 2015 GMT
Not valid after:  Aug 15 09:19:27 2016 GMT

DSA on Netty 3.10.x

$ sslscan 127.0.0.1:55442
Version: 1.11.6
OpenSSL 1.0.2h  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server 127.0.0.1 on port 55442

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  DHE-DSS-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-DSS-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-DSS-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.2  112 bits  EDH-DSS-DES-CBC3-SHA          DHE 1024 bits

  SSL Certificate:
Signature Algorithm: dsa_with_SHA256
Subject:  Test Case
Issuer:   Test Case

Not valid before: Jul 20 09:50:51 2016 GMT
Not valid after:  Aug 19 09:50:51 2016 GMT

ECDSA on Netty 3.10.x

$ sslscan 127.0.0.1:55442
Version: 1.11.6
OpenSSL 1.0.2h  3 May 2016

OpenSSL version does not support SSLv2
SSLv2 ciphers will not be detected

Testing SSL server 127.0.0.1 on port 55442

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA256     Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDH-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDH-ECDSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDH-RSA-AES128-SHA256
Accepted  TLSv1.2  128 bits  ECDH-ECDSA-AES128-SHA256
Accepted  TLSv1.2  128 bits  ECDH-RSA-AES128-SHA
Accepted  TLSv1.2  128 bits  ECDH-ECDSA-AES128-SHA
Accepted  TLSv1.2  112 bits  ECDHE-ECDSA-DES-CBC3-SHA      Curve P-256 DHE 256
Accepted  TLSv1.2  112 bits  ECDH-RSA-DES-CBC3-SHA
Accepted  TLSv1.2  112 bits  ECDH-ECDSA-DES-CBC3-SHA
Preferred TLSv1.1  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256 DHE 256
Preferred TLSv1.0  128 bits  ECDHE-ECDSA-AES128-SHA        Curve P-256 DHE 256

  SSL Certificate:
Signature Algorithm: ecdsa-with-SHA1
Subject:  Test Case
Issuer:   Test Case

Not valid before: Aug  9 09:23:09 2016 GMT
Not valid after:  Aug  7 09:23:09 2026 GMT

@bernd bernd self-assigned this Aug 10, 2016

@bernd

This comment has been minimized.

Member

bernd commented Aug 10, 2016

LGTM 👍

@bernd bernd merged commit 4926494 into master Aug 10, 2016

4 checks passed

ci-server-integration Jenkins build graylog2-server-integration-pr 1229 has succeeded
Details
ci-web-linter Jenkins build graylog-pr-linter-check 712 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@bernd bernd deleted the issue-2454 branch Aug 10, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment