Bug 1116292

Summary: Not all allowed separators in openssl are correctly processed when defining cipher suites
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Radim Hatlapatka <rhatlapa>
Component: WebAssignee: Rémy Maucherat <rmaucher>
Status: CLOSED CURRENTRELEASE QA Contact: Radim Hatlapatka <rhatlapa>
Severity: low Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: mvelas
Target Milestone: ER10   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-05 12:38:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1078204    
Bug Blocks:    

Description Radim Hatlapatka 2014-07-04 07:49:57 UTC 
In EAP 6.3.0 it is possible to use openssl syntax to define cipher suites.

In openssl as separator can be used colon, comma or space, see [1]. In EAP currently only colon.




[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
Comment 1 Radim Hatlapatka 2014-07-04 07:55:01 UTC 
To allow spaces as separators is an easy fix, just adding space as possible separator [1]

With the comma it is more complicated:
The code is currently written the way, that comma is separator for JSSE ciphers, and if you use comma between the ciphers it is automatically considered that only JSSE ciphers are listed.

Allowing commas as separator would require more significant changes in the code and would allow mixture of using JSSE syntax and openssl syntax at the same time. This is a question whether that is a desired behavior


[1]
https://source.jboss.org/changelog/JBossWeb?cs=2470
Comment 2 Rémy Maucherat 2014-07-04 09:18:10 UTC 
It is pointless to file a bug about something which will not be fixed. There's also no actual value in supporting other separators, people should use the usual ':' one.
Comment 3 Radim Hatlapatka 2014-07-04 09:40:46 UTC 
If we state that we support openssl syntax when defining cipher suites it is a bug.

This bug can be either fixed by doing fix in the code or fix in the documentation where the limitation to using openssl syntax will be stated.

PS: I agree with you that it is satisfactory to support only ':' as separator. But it needs to be documented if that is the decision.
Comment 4 Martin Velas 2014-08-05 12:38:31 UTC 
Both Security guide (Revision 6.3.0-42) and Administration guide (Revision 6.3.0-38) says:

"A list of the encryption ciphers which are allowed. For JSSE syntax, it must be a comma-separated list. For OpenSSL syntax, it must be a colon-separated list."

I consider this paragraph to be descriptive enough so I'm closing this issue.