Bug 1123304

Summary: [Openssl syntax with JSSE] Openssl DHE-* CIPHER names are not recognized as they are incorrectly defined as EDH-*
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Radim Hatlapatka <rhatlapa>
Component: WebAssignee: Emmanuel Hugonnet (ehsavoie) <ehugonne>
Status: CLOSED EOL QA Contact: Michael Cada <mcada>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: mbabacek, rmaucher
Target Milestone: ---   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:48:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1078204    
Bug Blocks: 1123342    
Attachments:
Description Flags
Proposed patch rhatlapa: review? (ehugonne)

Description Radim Hatlapatka 2014-07-25 09:29:24 UTC
DHE-* ciphers are not correctly recognized by server even though its relevant JSSE cipher (see mapping in [2]) is supported by used JRE/JDK.


According to [1] EDH and DHE CIPHER_STRINGS are aliases for the same ciphers, nevertheless CIPHER_SUITE_NAMES according to [2] are always using the DHE in their names. In JBossWeb there is used EDH instead of the DHE.

For example SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA should be used with openssl cipher suite name DHE-DSS-DES-CBC3-SHA, but is used with EDH-DSS-DES-CBC3-SHA which doesn't correspond to [2]

[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
[2] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES

Comment 1 Radim Hatlapatka 2014-07-25 09:51:30 UTC
Created attachment 920943 [details]
Proposed patch

Comment 2 Emmanuel Hugonnet (ehsavoie) 2014-09-16 08:09:30 UTC
I think r2509 in web rebases on the Tomcat code should fix this one too.

Comment 3 Radim Hatlapatka 2014-09-22 13:50:02 UTC
No it doesn't I have just checked the code and the issue is still valid.

(see Cipher 13 and Cipher 16 in https://source.jboss.org/changelog/JBossWeb?cs=2509)

Comment 4 Rémy Maucherat 2014-09-22 14:03:24 UTC
I am not convinced, but 11, 12, 13, 14, 15, 16 all look in the same situation to me.

Comment 5 Radim Hatlapatka 2014-09-22 14:10:47 UTC
Yes, you are right, for them it is the same, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES

Comment 6 Rémy Maucherat 2014-09-22 14:51:47 UTC
Ok, so it's consistent, which is better. But it is possible the docs is wrong, the Tomcat tests have less failures with the code as is (the said test needs OpenSSL 1.0.1i, while I have 1.0.1e), rather than after the "fix".

It needs to be reviewed again ;)

Comment 7 Radim Hatlapatka 2014-09-22 15:12:05 UTC
Note that when trying openssl ciphers it knows those ciphers as EDH ciphers, which is different than what they have in documentation.

As you are saying this can be also bug in their documentation or in openssl code.

Currently our documentation claims that we support openssl syntax as is described in their documentation, with few exceptions, see https://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#SSL_Connector_Reference1


PS: I have also OpenSSL 1.0.1e

Comment 8 Rémy Maucherat 2014-09-23 08:16:59 UTC
I don't plan to do anything right now, since I don't know what will happen.

Comment 9 Radim Hatlapatka 2014-09-23 08:30:07 UTC
From my opinion the safest solution would be to allow also aliases for the openssl cipher names as in these case EDH and DHE are in openssl aliases for the same group of ciphers.

Comment 10 Emmanuel Hugonnet (ehsavoie) 2014-09-23 08:54:03 UTC
From openssl code : 
/* XXX
 * Inconsistency alert:
 * The OpenSSL names of ciphers with ephemeral DH here include the string
 * "DHE", while elsewhere it has always been "EDH".
 * (The alias for the list of all such ciphers also is "EDH".)
 * The specifications speak of "EDH"; maybe we should allow both forms
 * for everything. */

Comment 11 Rémy Maucherat 2014-09-23 15:23:12 UTC
Interesting. I can try to commit upstream a set of aliases and see if there are complaints.