Bug 1111058
| Summary: | Cipher suites can be now defined using openssl syntax even when using JSSE | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Radim Hatlapatka <rhatlapa> |
| Component: | Documentation | Assignee: | Lucas Costi <lcosti> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Radim Hatlapatka <rhatlapa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.0 | CC: | ehugonne, lcosti, mbabacek, nchaudha, nsriniva, nziakova |
| Target Milestone: | post-GA | ||
| Target Release: | EAP 6.3.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-04-17 06:28:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1078204 | ||
| Bug Blocks: | |||
|
Description
Radim Hatlapatka
2014-06-19 07:19:58 UTC
For documentation we can inspire ourselves from https://www.openssl.org/docs/apps/ciphers.html with the following differences : - it is not a command line thus the "COMMAND OPTIONS" part has no sense in our context - @SECLEVEL is not supported as I couldn't find reliable documentation on what was the LEVEL of each cipher and this seems to be a compilation feature. - SUITEB128, SUITEB128ONLY, SUITEB192 also are not supported. I have added the additional text to the cipher-suite description in the SSL connector reference: "Cipher suites can be defined using OpenSSL syntax, even when using JSSE. For a list of available OpenSSL ciphers, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. Note that the following are not supported: @SECLEVEL, SUITEB128, SUITEB128ONLY, SUITEB192." Preview is available on DocBuilder: http://docbuilder.usersys.redhat.com/22508/#SSL_Connector_Reference1 Note that this same topic will also be updated in the Security Guide. Change made to topic: SSL Connector Reference [9038, revision 680482]. There needs to be included notes about specific differences mentioned in referenced BZs from [1] Mainly note regarding allowed separators, only colon works as separator for openssl syntax and comma as separator for JSSE syntax, for details there is reported BZ, see [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1078204 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1116292 Okay, I have updated the description to: ----- A list of the encryption ciphers which are allowed. For JSSE syntax, it must be a comma-separated list. For OpenSSL syntax, it must be a colon-separated list. The JVM default for JSSE contains weak ciphers which should not be used. The example only lists two possible ciphers, but real-world examples will likely use more. For a list of available OpenSSL ciphers, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. Note that the following are not supported: @SECLEVEL, SUITEB128, SUITEB128ONLY, SUITEB192. ----- Topic updated: SSL Connector Reference [9038, revision 681519] 6.3 Content specs updated for the new topic revision: A&C [22508, revision 681522] Security [22558, revision 681523] Preview available on DocBuilder: http://docbuilder.usersys.redhat.com/22508/#SSL_Connector_Reference1 Note that some of the changes made here are superseded by modifications made for BZ#1115502. There should be added note, that you can't mix openssl and JSSE syntax. Otherwise it seems ok. Dear Doc guys, this one looks severely neglected :-( Could you look into it please? Verified in Revision 6.3.0-48, looks ok |