Nuxeo Drive and Live Edit supported SSL cipher suites

Hello,

Official documentation require a valid SSL server certificate for Nuxeo Live Edit (and probably for Nuxeo Drive) to work with HTTPS (for me a Nuxeo server behind an HTTPS only Apache proxy server).

Careful : supported SSL cipher suites (and SSL protocols) MUST be also checked in your server configuration.

Nuxeo Drive and Nuxeo Live Edit supported cipher suites are these ones (checked with Wireshark and translated in OpenSSL format by “openssl ciphers -V | grep [id_cipher_suite]“) :
0x00,0x39 - DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
0x00,0x38 - DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
0x00,0x35 - AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
0x00,0x16 - EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
0x00,0x13 - EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
0x00,0x0A - DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
0x00,0x33 - DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
0x00,0x32 - DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
0x00,0x2F - AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
0x00,0x05 - RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
0x00,0x04 - RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

Could someone add this to current documentation ?
Does the current development roadmap plan to enhance supported SSL cipher suites and protocols ?

Thansk in advance, Michaël Le Clerc

0 votes

1 answers

880 views

ANSWER

Hello,

Here is additional informations :<br>

<ul>Server configuration<br> <ol>Debian 7.7<br> OpenSSL 1.0.1e<br> Apache HTTP Server 2.2.22<br> OpenJDK JRE 1.7.0_65<br> Nuxeo CAP 6.0 Tomcat<br></ol></ul>

<ul>Client configuration<br> <ol>Windows 8.1 x64<br> Microsoft Office 2007 SP3 MSO<br> Internet Explorer 11<br> Firefox 33.1.1<br> Nuxeo Drive 1.3.1107<br> Nuxeo Live Edit latest edit 32 bits<br> Firefox Protocol Handler for FF 4+<br></ol></ul>

Thanks in advance, Michaël Le Clerc

11/26/2014



The cipher suites available are not really a characteristic of Nuxeo but more of the Java environment (JDK) installed on the server, the Tomcat SSL configuration, etc. And for Drive, they are a characteristic of the python runtime environment.

0 votes



Hello Florent,

Thank you for your answer. If already aware of configuration problems on server side, I didn't identified where client side limitations comes. You answered to this concern. Am I wrong saying Python implementation is shipped with Nuxeo Drive ? If correct, perhaps some warning in the documentation (such as the valid certificate documented requirement) should be useful for people needing to conform to security requirements.

Anyway, thanks again.

Best regards, Michaël Le Clerc.

11/26/2014