Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security notice and clarifications #1591

Merged
merged 1 commit into from Nov 12, 2019
Merged

security notice and clarifications #1591

merged 1 commit into from Nov 12, 2019

Conversation

magwas
Copy link
Contributor

@magwas magwas commented Oct 24, 2019

on choosing the right cipher suite for client key

I should not recommend to use simple DES without any warnings: I'm supposed to be a security professional after all.
As neither me, and presumably nor others in the project really have more time to research the problem and test solutions, I think this warning is the minimum to sleep well.

All Submissions:

  • [x ] Have you followed the guidelines in our Contributing document?
  • [ x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?

@AppVeyorBot
Copy link

@AppVeyorBot AppVeyorBot commented Oct 24, 2019

@codecov-io
Copy link

@codecov-io codecov-io commented Oct 28, 2019

Codecov Report

Merging #1591 into master will decrease coverage by <.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##             master    #1591      +/-   ##
============================================
- Coverage     68.96%   68.95%   -0.01%     
+ Complexity     3997     3996       -1     
============================================
  Files           179      179              
  Lines         16622    16622              
  Branches       2707     2707              
============================================
- Hits          11463    11462       -1     
  Misses         3905     3905              
- Partials       1254     1255       +1

@davecramer
Copy link
Member

@davecramer davecramer commented Oct 29, 2019

@magwas
I have figured out a somewhat simple way to create and use a PKCS#12 file, however it is encrypted using triple DES. I'm not a security expert, but apparently it is also not safe ?
Comments ?

@magwas
Copy link
Contributor Author

@magwas magwas commented Nov 3, 2019

For some reasons I thought that I have already commented on this:
3DES is okayish for maybe a couple of years, but there are settings where it is already unacceptable.
The way to go is high keylength AES.
Cracking simple DES is a matter of $50.

@davecramer
Copy link
Member

@davecramer davecramer commented Nov 3, 2019

For some reasons I thought that I have already commented on this:
3DES is okayish for maybe a couple of years, but there are settings where it is already unacceptable.
The way to go is high keylength AES.
Cracking simple DES is a matter of $50.

Sadly the only version of java that supports AES is JDK12. I'll add that to the PR later this week

@magwas
Copy link
Contributor Author

@magwas magwas commented Nov 3, 2019

There should be a way to support state of the art crypto (and it is a shame if the current LTS does not do it). What about integrating BouncyCastle?

@davecramer
Copy link
Member

@davecramer davecramer commented Nov 3, 2019

I'd prefer to avoid BC but this may be the only solution. I'll continue to look next week.

@davecramer
Copy link
Member

@davecramer davecramer commented Nov 5, 2019

If BC can fix this I'd be more than happy to add it to the dependencies.

@davecramer davecramer merged commit c67b0b0 into pgjdbc:master Nov 12, 2019
2 of 3 checks passed
davecramer pushed a commit to davecramer/pgjdbc that referenced this issue Jul 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants