-1

We are developing a JSF web application that has a main requirement of using our own TLS implementation (custom algorithm suites). The clients will connect via a browser. Is there any way (customising browser, putting some extra software to clients or any other architectural way) to use a standard browser (Firefox, Chrome, Opera, IE) with this TLS implementation?

This question in my mind is not a complete duplicate of Add Cipher Suite support to Chrome/ Chromoium?. Because in this question I mention other browsers as well as Chrome and I also kindly request any architectural alternatives like a custom software acting as a proxy or gateway on the client side (in this case the client will have custom software which is doable in our project) that is responsible for custom TLS.

Community
  • 1
Martin Mystere
  • 13
  • 5
  • Wouldn't the browsers not be able to use the new tls designations? Would webrtc work here? – munchkin Mar 18 '15 at 15:04
  • No webrtc will be used. The requirement is very strict : only a small set of custom algorithm suites and nothing else. – Martin Mystere Mar 18 '15 at 15:13
  • 1
    You would have to write a client side application to do this sort of thing. For Windows users you could attempt to install custom cipher suites into the Windows registry. Then perhaps force clients to use IE? I'd never recommend that though. – RoraΖ Mar 18 '15 at 15:53
  • @raz TLS support in Windows is via Schannel. You can enable and disable ciphersuites in the registry, but there's no way to add implementations of custom ciphers, even if there were registry entries for them. – Xander Mar 18 '15 at 18:56
  • @Xander oh good call, I forgot about that whole implementation part. Just a small bit. – RoraΖ Mar 18 '15 at 19:57

1 Answers1

1

I doubt that it is possible to add custom cipher suites to Chrome or Firefox and to keep these maintained with all the rapid updates. I don't know about adding ciphers to the Windows system so that they can be used by IE, but given that even Microsoft itself has serious problems in this area I doubt that you can easily add ciphers there and keep them cheaply maintained.

But, you could write a HTTP proxy which does SSL interception (only to your host!). This proxy can accept the native ciphers from the browser but will use your own special ciphers to communicate with your server. If browser and proxy both run on the same system you get about the same result as with integrating the custom ciphers into the browser itself. And this solution has the advantage that it is independent of the kind of browser.

Apart from that I hope there is a really good reason to use your own ciphers. In most cases a much better approach is to restrict the server to use accept only the most secure ciphers supported by the browser and thus use ciphers with known security properties.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434