Description of problem: Cipher suites can be now defined using openssl syntax even when using JSSE (natives are not enabled). This was done as part of fix for BZ#1078204 and needs to be documented. For details about the new functionality see linked external trackers in BZ#1078204
For documentation we can inspire ourselves from https://www.openssl.org/docs/apps/ciphers.html with the following differences : - it is not a command line thus the "COMMAND OPTIONS" part has no sense in our context - @SECLEVEL is not supported as I couldn't find reliable documentation on what was the LEVEL of each cipher and this seems to be a compilation feature. - SUITEB128, SUITEB128ONLY, SUITEB192 also are not supported.
I have added the additional text to the cipher-suite description in the SSL connector reference: "Cipher suites can be defined using OpenSSL syntax, even when using JSSE. For a list of available OpenSSL ciphers, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. Note that the following are not supported: @SECLEVEL, SUITEB128, SUITEB128ONLY, SUITEB192." Preview is available on DocBuilder: http://docbuilder.usersys.redhat.com/22508/#SSL_Connector_Reference1 Note that this same topic will also be updated in the Security Guide. Change made to topic: SSL Connector Reference [9038, revision 680482].
There needs to be included notes about specific differences mentioned in referenced BZs from [1] Mainly note regarding allowed separators, only colon works as separator for openssl syntax and comma as separator for JSSE syntax, for details there is reported BZ, see [2]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1078204 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1116292
Okay, I have updated the description to: ----- A list of the encryption ciphers which are allowed. For JSSE syntax, it must be a comma-separated list. For OpenSSL syntax, it must be a colon-separated list. The JVM default for JSSE contains weak ciphers which should not be used. The example only lists two possible ciphers, but real-world examples will likely use more. For a list of available OpenSSL ciphers, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS. Note that the following are not supported: @SECLEVEL, SUITEB128, SUITEB128ONLY, SUITEB192. ----- Topic updated: SSL Connector Reference [9038, revision 681519] 6.3 Content specs updated for the new topic revision: A&C [22508, revision 681522] Security [22558, revision 681523] Preview available on DocBuilder: http://docbuilder.usersys.redhat.com/22508/#SSL_Connector_Reference1
Note that some of the changes made here are superseded by modifications made for BZ#1115502.
There should be added note, that you can't mix openssl and JSSE syntax. Otherwise it seems ok.
Dear Doc guys, this one looks severely neglected :-( Could you look into it please?
Verified in Revision 6.3.0-48, looks ok