HTTPS

iPhone

Applications released through AppStore are not allowed to cipher data using strong ciphering, the iPFaces client therefore supports only weak ciphering. For more informations about strong ciphering please see the end of this page. 1
This means it supports ciphering with these limits:
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
  • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
  • TLS_RSA_WITH_DES_CBC_SHA (0x0009)
  • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
  • TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
IPFaces server has to be configured to return one of the weak algorithms when starting ciphered communication. When it chooses one of the strong ciphering methods, communication will be closed by the client.

Android

In contrary Android iPFaces client is able to communicate even with the servers which supports strong ciphering. If you want the application to work only on the Android phone you can use on ofeven the strong ciphering algorithms.

Server setup

This part describes how to configure web servers for using weak ciphering suites only.

Apache

It is very common to have architecture with Apache in front of the Tomcat. If it is your case, you should configure Apache to handle SSL. For this see the PHP documentation.

IIS

If you have IIS in front of the Tomcat, you should configure IIS to handle SSL. For this see the ASP.NET documentation.

Tomcat

This setup was tested on Apache Tomcat 6.0.18.

  1. Get certificates from any certification authority or generate them using a generator (you will need the “.keystore” file. This file is by default in your home directory.
  2. Edit the “conf/server.xml” file. Edit or add “<Connector>” for SSL communication. By default it is the one with port “8443”. If you are not using APR , it should look like this:
    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100"  maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       ciphers="SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
    SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="SSL"/>

    where “ciphers” are supported (weak) cipher suites and keystorePass=“changeit” is a password for keystore file. If you are using APR, the file should like this:

    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
       enableLookups="true" disableUploadTimeout="true"
       acceptCount="100"  maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       ciphers="SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
    SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
       SSLCertificateFile="/path/to/certificate/server.crt"
       SSLCertificateKeyFile="/path/to/certificate/server.pem"
       clientAuth="false" sslProtocol="SSL"/>

    where “ciphers” are the same as in the previous case, SSLCertificateFile is the certificate file and SSLCertificateKeyFile is the private key received from any certification authority or generated using the generator.

  3. Tomcat server should be configured now to use only weak cipher suites.
1) This is not completely true. It is possible to use strong ciphering algorithms in iPhone applications such use is regulated by U.S. laws and producer of such application needs to get appropriate export permit. Therefore ciphering is limited in freely available iPFaces client application. Branded versions without these limitations are also available. Please contact info@ipfaces.org for more information and pricing.