Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check the allowed crypto key size and disable MSE if insufficient #24

Closed
atomashpolskiy opened this issue Aug 3, 2017 · 3 comments
Closed

Check the allowed crypto key size and disable MSE if insufficient #24

atomashpolskiy opened this issue Aug 3, 2017 · 3 comments
Labels
enhancement
Milestone
1.6

Comments

@atomashpolskiy
Copy link
Owner

Code snippet here: https://gist.github.com/jehrhardt/5167854
Currently Bt just won't connect to peers if JCE unlimited strength is not installed. It would be better to automatically disable MSE negotiation and fallback to standard BitTorrent handshake (and throw an exception in CLI client if -e flag is provided, i.e. encryption is required).
@zimmi
Copy link

zimmi commented Aug 3, 2017

Just as an FYI, the upcoming JDK 8u152 will bring a programmatic way to enable unlimited key strength, without the user having to copy policy files around.

The API is backward compatible, so it might make sense to do this right away. The incantation is:

java.security.Security.setProperty("crypto.policy", "unlimited");

P.S.: I haven't used your library yet, but it looks really good! :)

@atomashpolskiy
Copy link
Owner Author

This is very timely and useful info, thank you for sharing! However, I'm struggling to understand from the text, whether this new property will be undefined or set to 'limited' by default in 8u125 (and later)? Common sense tells me that it should be the latter, otherwise this property would be useless in earlier versions. Is my assumption correct?

@zimmi
Copy link

zimmi commented Aug 3, 2017
edited
Loading

First off, I'm not an OpenJDK developer.
However, the text says:

By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'.

Reading that, my understanding is the following:

  • JDK 8u152 and later: With an unmodified JDK, the property will be undefined by default, therefore the cryptographic level will be 'limited' (as it is today)
  • before JDK 8u152: Property will be ignored, still need to copy policy files

So to find out what the current cryptographic level is, it seems like you would still need to do a check for the supported key length like in your first post.
Setting the property might be a useful convenience though, but I'm not sure if that's something a library should do implicitly, because it's a global setting. Maybe just some documentation / demo code?

Edit: For the CLI it does seem like a good default though. Much less hassle! :)

atomashpolskiy added a commit that referenced this issue Dec 6, 2017
@atomashpolskiy
Check the allowed crypto key size and disable MSE if insufficient #24
538c829
@atomashpolskiy atomashpolskiy added this to the 1.6 milestone Dec 6, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
1.6
Development

No branches or pull requests
2 participants
@zimmi @atomashpolskiy