I have a question on the TLS initial handshake. (I am no expert, so I'd love an easy to grasp explanation).
According to wikipedia:
*Negotiation Phase:
- A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
- The server responds with a ServerHello message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a session id as part of the message to perform a resumed handshake.*
What I am trying to do is to change the cipher list sent during the ClientHello phase (make it only include 128bit + ciphers).
When a client sends a ClientHello message to my server (jboss) I can limit the ciphers that jboss can handle by playing around with the server.xml file and adding something like
ciphers="DHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,DHE-RSA-CAMELLIA256-SHA,DHE-DSS-CAMELLIA256-SHA,AES256-SHA,CAMELLIA256-SHA,PSK-AES256-CBC-SHA,EDH-RSA-DES-CBC3-SHA,EDH-DSS-DES-CBC3-SHA,DES-CBC3-SHA,PSK-3DES-EDE-CBC-SHA,DHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,DHE-RSA-CAMELLIA128-SHA,DHE-DSS-CAMELLIA128-SHA,AES128-SHA,CAMELLIA128-SHA,PSK-AES128-CBC-SHA"
I am wondering though if that is sufficient when my server is contacting another server (thus acting like a client) and starts the handshake itself.
Thank you for your time
