Bug 1123304
| Summary: | [Openssl syntax with JSSE] Openssl DHE-* CIPHER names are not recognized as they are incorrectly defined as EDH-* | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Radim Hatlapatka <rhatlapa> | ||||
| Component: | Web | Assignee: | Emmanuel Hugonnet (ehsavoie) <ehugonne> | ||||
| Status: | CLOSED EOL | QA Contact: | Michael Cada <mcada> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.3.0 | CC: | mbabacek, rmaucher | ||||
| Target Milestone: | --- | ||||||
| Target Release: | EAP 6.4.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-08-19 12:48:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1078204 | ||||||
| Bug Blocks: | 1123342 | ||||||
| Attachments: |
|
||||||
|
Description
Radim Hatlapatka
2014-07-25 09:29:24 UTC
Created attachment 920943 [details]
Proposed patch
I think r2509 in web rebases on the Tomcat code should fix this one too. No it doesn't I have just checked the code and the issue is still valid. (see Cipher 13 and Cipher 16 in https://source.jboss.org/changelog/JBossWeb?cs=2509) I am not convinced, but 11, 12, 13, 14, 15, 16 all look in the same situation to me. Yes, you are right, for them it is the same, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES Ok, so it's consistent, which is better. But it is possible the docs is wrong, the Tomcat tests have less failures with the code as is (the said test needs OpenSSL 1.0.1i, while I have 1.0.1e), rather than after the "fix". It needs to be reviewed again ;) Note that when trying openssl ciphers it knows those ciphers as EDH ciphers, which is different than what they have in documentation. As you are saying this can be also bug in their documentation or in openssl code. Currently our documentation claims that we support openssl syntax as is described in their documentation, with few exceptions, see https://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#SSL_Connector_Reference1 PS: I have also OpenSSL 1.0.1e I don't plan to do anything right now, since I don't know what will happen. From my opinion the safest solution would be to allow also aliases for the openssl cipher names as in these case EDH and DHE are in openssl aliases for the same group of ciphers. From openssl code : /* XXX * Inconsistency alert: * The OpenSSL names of ciphers with ephemeral DH here include the string * "DHE", while elsewhere it has always been "EDH". * (The alias for the list of all such ciphers also is "EDH".) * The specifications speak of "EDH"; maybe we should allow both forms * for everything. */ Interesting. I can try to commit upstream a set of aliases and see if there are complaints. |