Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7592

Minor mistake in description of ECDHE TLS cipher suites

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.1, 7.1.0
    • Component/s: documentation
    • Labels:

      Description

      In https://backstage.forgerock.com/docs/ds/7/security-guide/connections.html#tls-protocols-cipher-suites it currently says for ECDHE_RSA:

      > "In this example, an elliptic curve variant of the Diffie-Hellman key exchange is used, where a random value chosen by the client is encrypted with the server's RSA public key"

      The latter half here actually describes plain RSA key exchange. In ECDHE_RSA the server's RSA private key is used to sign the ephemeral ECDH public key in the ServerKeyExchange message. No encryption is involved. (Ideally the server's cert would have a KeyUsage extension with only the digitalSignature bit set to prevent it being used for encryption).

        Attachments

          Activity

            People

            Assignee:
            michal.severin Michal Severin [X] (Inactive)
            Reporter:
            neil.madden Neil Madden
            Dev Assignee:
            Mark Craig Mark Craig
            QA Assignee:
            Michal Severin [X] Michal Severin [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: