Bug 1673259
Summary: | Since JDK 1.8.0_201, NIO connector does not work | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Hisanobu Okuda <hokuda> |
Component: | Web | Assignee: | Rémy Maucherat <rmaucher> |
Status: | CLOSED EOL | QA Contact: | Peter Mackay <pmackay> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4.21 | CC: | aogburn, rmaucher, rpelisse |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-19 12:43:54 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Hisanobu Okuda
2019-02-07 07:26:29 UTC
Since JDK 1.8.0_201, TLS anon and NULL Cipher Suites are Disabled [1]. $JAVA_HOME/jre/lib/security/java.security: ---------------------------------------------------------------------------- jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL <<==anon and NULL are added ---------------------------------------------------------------------------- This causes a side effect to NIO connector. In org.apache.tomcat.util.net.jsse.NioJSSESocketChannelFactory, if "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is disabled, RFC_5746_SUPPORTED = false. NioJSSESocketChannelFactory.java: ------------------------------------------------------------------------------- 114 if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) { 115 result = true; 116 break; 117 } ... 135 RFC_5746_SUPPORTED = result; ------------------------------------------------------------------------------- If RFC_5746_SUPPORTED is false, the following code will be executed: ------------------------------------------------------------------------------- 223 if (!allowUnsafeLegacyRenegotiation && !RFC_5746_SUPPORTED) { 224 // Prevent further handshakes by removing all cipher suites 225 engine.setEnabledCipherSuites(new String[0]); 226 } ------------------------------------------------------------------------------- This leads to: server.log: ------------------------------------------------------------------------------- 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) No available cipher suite for TLSv1 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) No available cipher suite for TLSv1.1 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) No available cipher suite for TLSv1.2 ------------------------------------------------------------------------------- Finally, SSL handshake initiation fails: server.log: ------------------------------------------------------------------------------- 13:08:39,655 INFO [stdout] (http-127.0.0.1:8443-4) http-127.0.0.1:8443-4, fatal error: 40: Couldn't kickstart handshaking ------------------------------------------------------------------------------- We have 2 workarounds. The 1st is enabling legacy renegotiation, but it is really bad idea. The 2nd is enabling NULL ciphersuites changing JAVA_HOME/jre/lib/security/java.security: ------------------------------------------------------------------------------- jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon <<== remove NULL ------------------------------------------------------------------------------- However, it is also not a good idea (pretty better than enabling legacy renegotiation though). [1] https://www.oracle.com/technetwork/java/javase/8u201-relnotes-5209271.html |