LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-15-2015, 10:31 PM   #1
babyPen
LQ Newbie
 
Registered: May 2014
Posts: 17

Rep: Reputation: Disabled
difference in outputs when using TLS1


Hello All,

I am rookie when it comes to security protocols and I am learning this as part of my job responsibilities.

Recently our Application started implementing TLSv1.2 and here are some questions that I have from my observations.

1st the term ciphers, keys, certs are all very confusing to however I started to get some understanding of these as I am reading a lot of stuff.
Now, my application is running on "X" server and only accepts TLS1.X connections since the i use java 7 where ssl2Hello is disabled

now from Server "A" when I run cmd: openssl s_client -tls1 -host xxx -port yyyy
I get back a response in which I see a line
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
the openssl version on server A is: 1.0

when I run the same command from another server "B" I get a response in which the line says:
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
the openssl version on server B is: 0.9

My understanding of cipher was something that is enforced by the application server "X" and not by the client that is making the call. Is that a wrong understanding ?
And how can I find out what type of cipher is being enforced by the server "X" when someone makes a call to it.

Anyone who can help me understand why the difference how this entire stuff operates.
Help much appreciated.
 
Old 05-16-2015, 12:56 AM   #2
rdgreenlaw
Member
 
Registered: May 2007
Distribution: Ubuntu 14.04 LTS
Posts: 62

Rep: Reputation: 17
Read this document for a discussion of AES and DES encryption and why AES is superior.

Normally servers and clients negotiate the encryption protocol to use by sending a list of understood protocols to the other system. The server and client will use the highest protocol that they both understand. If one understands AES and DES but the other only understands DES then they will settle on DES encryption. The only way to force AES encryption is to change "server A" to reject DES or lower encryption standards. This will work, but then "server B" will not be able to establish a secure communication channel with "server A" until the encryption software on "server B" is updated.

I don't know how to disable encryption protocols below AES, perhaps someone else could help there. If "server B" is upgraded to use AES encryption but "server A" remains unchanged, then another server could possibly connect to "server A" with DES encryption. If DES is not secure enough for your communications between "A" and "B" then I would assume that it would be undesirable for any other machine to communicate to "A" at a protocol below AES.

If you get nothing else from my post, you have a good link to a document that explains AES and DES encryption and why DES is not a good choice for sensitive information.
 
1 members found this post helpful.
  


Reply

Tags
openssl, ssl, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to convert unformatted binary files/outputs to netcdf outputs in linux? sarasari Programming 2 03-12-2014 12:30 AM
How does ssl 3 and tls1 and tls 1.1 work with a web browser? deepsix Linux - Security 34 03-21-2011 03:02 PM
shell script to find the difference betwwn two file and place the difference to other kittunot4u Linux - General 3 07-19-2010 05:26 AM
Can't install tls1.5 needed for aMSN ironfistchamp Linux - Software 4 02-20-2006 03:09 PM
Different nmap outputs, one ip iceman47 Linux - Security 10 05-12-2003 05:13 PM


All times are GMT -5. The time now is 08:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration