IdP 3.2 - ECDHE cipher
John Horne
john.horne at plymouth.ac.uk
Fri Dec 4 17:03:39 EST 2015
On Fri, 2015-12-04 at 19:04 +0000, Cantor, Scott wrote:
> On 12/4/15, 2:00 PM, "users on behalf of Marvin Addison" <users-bounc
> es at shibboleth.net on behalf of marvin.addison at gmail.com> wrote:
>
>
>
> > That's a notable difference between the 9.2 and 9.3 docs. I'm not
> > using that syntax (we use an explicit list of cipher suites) and
> > our 9.3 IdP supports ECDHE just fine.
>
> The reason they're different is that initially I couldn't get the
> regex stuff working on 9.2, even though Jetty documented it that way.
> It did work on 9.3. It's possible that's a Java 8 issue because I did
> make it work on Java 8 + 9.2 (or 9.3).
>
> Anyway, for 9.3 and Java 8, it should work fine. But the error
> message does suggest that's applying the expression too literally. I
> don't know why it does that.
>
With the logging set to debug level, the log file shows the ciphers
available and the ones that will be used. The regex does work in only
selecting the TLS_RSA ciphers (in my case). If I change the regex to
use '.*', then all the ciphers are selected (as expected).
As Marvin Addison said '...and our 9.3 IdP supports ECDHE just fine'.
That's what I can't understand. For some reason in our case ECDHE is
not seen as being available, and hence we get the 'No cipher
matching...' message. If I can't find the reason soon, then I'll see
about asking on the Jetty mailing list (I assume there is one).
John.
--
----------------------------------------------------
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK
More information about the users
mailing list