Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security notice and clarifications #1591

Merged
merged 1 commit into from Nov 12, 2019
Merged

security notice and clarifications #1591

merged 1 commit into from Nov 12, 2019

Conversation

@magwas
Copy link
Contributor

magwas commented Oct 24, 2019

on choosing the right cipher suite for client key

I should not recommend to use simple DES without any warnings: I'm supposed to be a security professional after all.
As neither me, and presumably nor others in the project really have more time to research the problem and test solutions, I think this warning is the minimum to sleep well.

All Submissions:

  • [x ] Have you followed the guidelines in our Contributing document?
  • [ x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
@AppVeyorBot

This comment has been minimized.

Copy link

AppVeyorBot commented Oct 24, 2019

@codecov-io

This comment has been minimized.

Copy link

codecov-io commented Oct 28, 2019

Codecov Report

Merging #1591 into master will decrease coverage by <.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##             master    #1591      +/-   ##
============================================
- Coverage     68.96%   68.95%   -0.01%     
+ Complexity     3997     3996       -1     
============================================
  Files           179      179              
  Lines         16622    16622              
  Branches       2707     2707              
============================================
- Hits          11463    11462       -1     
  Misses         3905     3905              
- Partials       1254     1255       +1
@davecramer

This comment has been minimized.

Copy link
Member

davecramer commented Oct 29, 2019

@magwas
I have figured out a somewhat simple way to create and use a PKCS#12 file, however it is encrypted using triple DES. I'm not a security expert, but apparently it is also not safe ?
Comments ?

@magwas

This comment has been minimized.

Copy link
Contributor Author

magwas commented Nov 3, 2019

For some reasons I thought that I have already commented on this:
3DES is okayish for maybe a couple of years, but there are settings where it is already unacceptable.
The way to go is high keylength AES.
Cracking simple DES is a matter of $50.

@davecramer

This comment has been minimized.

Copy link
Member

davecramer commented Nov 3, 2019

For some reasons I thought that I have already commented on this:
3DES is okayish for maybe a couple of years, but there are settings where it is already unacceptable.
The way to go is high keylength AES.
Cracking simple DES is a matter of $50.

Sadly the only version of java that supports AES is JDK12. I'll add that to the PR later this week

@magwas

This comment has been minimized.

Copy link
Contributor Author

magwas commented Nov 3, 2019

There should be a way to support state of the art crypto (and it is a shame if the current LTS does not do it). What about integrating BouncyCastle?

@davecramer

This comment has been minimized.

Copy link
Member

davecramer commented Nov 3, 2019

I'd prefer to avoid BC but this may be the only solution. I'll continue to look next week.

@davecramer

This comment has been minimized.

Copy link
Member

davecramer commented Nov 5, 2019

If BC can fix this I'd be more than happy to add it to the dependencies.

@davecramer davecramer merged commit c67b0b0 into pgjdbc:master Nov 12, 2019
2 of 3 checks passed
2 of 3 checks passed
codecov/project 68.95% (-0.01%) compared to ad73457
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.