Bug 1127283

Summary: [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonymous ciphers, should be the opposite (only anonymous ECDH)
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Radim Hatlapatka <rhatlapa>
Component: WebAssignee: Rémy Maucherat <rmaucher>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Cada <mcada>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: ehugonne
Target Milestone: DR5   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:38:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1149776    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch none

Description Radim Hatlapatka 2014-08-06 14:16:33 UTC 
Description of problem:
When setting AECDH as cipher string instead of setting anonymous Elliptic Curve Diffie Hellman cipher suites, see [1] sets non anonymous ECDH


Version-Release number of selected component (if applicable): EAP 6.3.0


How reproducible: always


Steps to Reproduce:
1. set as cipher suite AECDH
2. enable debug logging for org.apache.tomcat.util.net.jsse
3. do handshake via openssl s_client
  a) openssl s_client -connect 127.0.0.1:8443 -cipher AECDH
  b) openssl s_client -connect 127.0.0.1:8443 -cipher ALL:COMPLEMENTOFALL


Actual results:
a) handshake fails with enforced AECDH

b) In my case actually used cipher is ECDH-RSA-AES256-SHA384 which is not anonymous ECDH


Expected results:
a) if there are some AECDH ciphers supported in used JDK, handshake is successful
b) the used cipher is one of AECDH ciphers if there are some AECDH ciphers supported in used JDK


Additional info:
AECDH and ECDH requires keystores generated using EC keyalg



[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
Comment 1 Radim Hatlapatka 2014-08-06 14:18:13 UTC 
Created attachment 924507 [details]
Proposed patch

Proposed patch
Comment 2 Rémy Maucherat 2014-09-09 14:11:34 UTC 
Integrated in web as r2508.
Comment 3 Kabir Khan 2014-10-08 12:17:19 UTC 
Should be fixed by component upgrade to 7.5.0.Beta3 1149776
Comment 5 Radim Hatlapatka 2014-10-16 08:06:10 UTC 
Verified in EAP 6.4.0.DR5