J
jnavratil@netsuite.com
Guest
To improve security settings, a 'CipherSuites' connection string property (currently not documented) can be used with JDBC driver. We want to be sure that all security settings specified in a connection string are used and valid when the connection is successfully established. For example, if a user set 'CipherSuites' attribute to value 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA' and the connection is established, we must be sure that the specified cipher suite is used. And since encrypted connection and non-anonymous cipher suites are part of security process, we need this part to be fully under control. Otherwise, it should throw some error. The name of the cipher suite in example above is a valid name (according to e.g. https://www.openssl.org/docs/apps/ciphers.html ). However, according to case 00279382, JDBC driver uses the JAVA SSL but TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA is not a supported cipher suite here. And according to comment below, this attribute is ignored and the driver uses default supported ones. It means, that the connection is successfully established using different cipher suite that was specified in connection string and no notification nor error message is thrown. Then, the customer believe that it works as he intended, but it does not. For further reference, please see support case 00272324.
Continue reading...
Continue reading...