Bug 1123304 - [Openssl syntax with JSSE] Openssl DHE-* CIPHER names are not recognized as they are incorrectly defined as EDH-*
Summary: [Openssl syntax with JSSE] Openssl DHE-* CIPHER names are not recognized as t...
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: EAP 6.4.0
Assignee: Emmanuel Hugonnet (ehsavoie)
QA Contact: Michael Cada
Depends On: 1078204
Blocks: 1123342
TreeView+ depends on / blocked
Reported: 2014-07-25 09:29 UTC by Radim Hatlapatka
Modified: 2019-08-19 12:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-08-19 12:48:51 UTC
Type: Bug

Attachments (Terms of Use)
Proposed patch (2.05 KB, patch)
2014-07-25 09:51 UTC, Radim Hatlapatka
rhatlapa: review? (ehugonne)
Details | Diff

Description Radim Hatlapatka 2014-07-25 09:29:24 UTC
DHE-* ciphers are not correctly recognized by server even though its relevant JSSE cipher (see mapping in [2]) is supported by used JRE/JDK.

According to [1] EDH and DHE CIPHER_STRINGS are aliases for the same ciphers, nevertheless CIPHER_SUITE_NAMES according to [2] are always using the DHE in their names. In JBossWeb there is used EDH instead of the DHE.

For example SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA should be used with openssl cipher suite name DHE-DSS-DES-CBC3-SHA, but is used with EDH-DSS-DES-CBC3-SHA which doesn't correspond to [2]

[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
[2] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES

Comment 1 Radim Hatlapatka 2014-07-25 09:51:30 UTC
Created attachment 920943 [details]
Proposed patch

Comment 2 Emmanuel Hugonnet (ehsavoie) 2014-09-16 08:09:30 UTC
I think r2509 in web rebases on the Tomcat code should fix this one too.

Comment 3 Radim Hatlapatka 2014-09-22 13:50:02 UTC
No it doesn't I have just checked the code and the issue is still valid.

(see Cipher 13 and Cipher 16 in https://source.jboss.org/changelog/JBossWeb?cs=2509)

Comment 4 Rémy Maucherat 2014-09-22 14:03:24 UTC
I am not convinced, but 11, 12, 13, 14, 15, 16 all look in the same situation to me.

Comment 5 Radim Hatlapatka 2014-09-22 14:10:47 UTC
Yes, you are right, for them it is the same, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES

Comment 6 Rémy Maucherat 2014-09-22 14:51:47 UTC
Ok, so it's consistent, which is better. But it is possible the docs is wrong, the Tomcat tests have less failures with the code as is (the said test needs OpenSSL 1.0.1i, while I have 1.0.1e), rather than after the "fix".

It needs to be reviewed again ;)

Comment 7 Radim Hatlapatka 2014-09-22 15:12:05 UTC
Note that when trying openssl ciphers it knows those ciphers as EDH ciphers, which is different than what they have in documentation.

As you are saying this can be also bug in their documentation or in openssl code.

Currently our documentation claims that we support openssl syntax as is described in their documentation, with few exceptions, see https://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#SSL_Connector_Reference1

PS: I have also OpenSSL 1.0.1e

Comment 8 Rémy Maucherat 2014-09-23 08:16:59 UTC
I don't plan to do anything right now, since I don't know what will happen.

Comment 9 Radim Hatlapatka 2014-09-23 08:30:07 UTC
From my opinion the safest solution would be to allow also aliases for the openssl cipher names as in these case EDH and DHE are in openssl aliases for the same group of ciphers.

Comment 10 Emmanuel Hugonnet (ehsavoie) 2014-09-23 08:54:03 UTC
From openssl code : 
/* XXX
 * Inconsistency alert:
 * The OpenSSL names of ciphers with ephemeral DH here include the string
 * "DHE", while elsewhere it has always been "EDH".
 * (The alias for the list of all such ciphers also is "EDH".)
 * The specifications speak of "EDH"; maybe we should allow both forms
 * for everything. */

Comment 11 Rémy Maucherat 2014-09-23 15:23:12 UTC
Interesting. I can try to commit upstream a set of aliases and see if there are complaints.

Note You need to log in before you can comment on or make changes to this bug.