Bug 1123356

Summary: Unable to define single cipher using JSSE syntax
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Radim Hatlapatka <rhatlapa>
Component: WebAssignee: Emmanuel Hugonnet (ehsavoie) <ehugonne>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Cada <mcada>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: rmaucher
Target Milestone: DR7   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1166610 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1123342, 1131810, 1149776    
Bug Blocks: 1166610    
Attachments:
Description Flags
Fix for the issue none

Description Radim Hatlapatka 2014-07-25 12:17:59 UTC 
Description of problem:
In case when openssl converter for JSSE syntax doesn't know the specified cipher, the cipher isn't recognized even when it is enabled in used JVM.


Version-Release number of selected component (if applicable): 6.3.0.ER10


How reproducible: always


Steps to Reproduce:
1. start EAP with https connector including ssl configuration
2. set the cipher-suite to SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA (this cipher is checked to be enabled in [1] by default)

Actual results: server doesn't start due BZ#1123342 causing openssl syntax parser doesn't recognized the cipher


Expected results: server starts as it is valid JSSE cipher name in the running JDK

Additional info:
setting twice the cipher name separated by comma results in usage of JSSE without openssl syntax parser which makes the server start correctly
(cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA")


[1]
 JDK 1.7 with security unlimited
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
Comment 1 Rémy Maucherat 2014-09-22 14:56:08 UTC 
So with the alias feature from the Tomcat rebase, this is supposed to be fixed once a new web build is integrated.
Comment 2 Kabir Khan 2014-10-08 12:17:07 UTC 
Should be fixed by component upgrade to 7.5.0.Beta3 1149776
Comment 3 Radim Hatlapatka 2014-10-21 07:51:08 UTC 
Checked with EAP 6.4.0.DR6 and the issue is still valid.

Note the issue is in org.apache.tomcat.util.net.jsse.JSSEUtils#resolveEnabledCipherSuite

there is condition if (cipherSuites.length == 1) { // process as openssl syntax }
Comment 4 Radim Hatlapatka 2014-10-21 08:25:08 UTC 
After looking into it a little bit more, the support for aliases doesn't fix this as no parsing is done based on the provided JSSE aliases (the JSSE aliases are only used as result of the enabled ciphers based on recognized ciphers during parsing)
Comment 5 Rémy Maucherat 2014-10-21 13:11:48 UTC 
Ok, I tried the reproducer, but the corresponding cipher might have been available in my OpenSSL, so the alias fixed it. Or I did something wrong.
Comment 6 Emmanuel Hugonnet (ehsavoie) 2014-10-21 14:18:54 UTC 
I've a fix for it.
Comment 7 Emmanuel Hugonnet (ehsavoie) 2014-10-21 14:21:29 UTC 
Created attachment 948975 [details]
Fix for the issue

Fix
Comment 8 Rémy Maucherat 2014-10-21 14:37:55 UTC 
Commited as r2527 in web. Thanks !
Comment 9 Radim Hatlapatka 2014-10-30 07:44:17 UTC 
Verified in EAP 6.4.0.DR7