Created attachment 920943 [details]
Proposed patch

I think r2509 in web rebases on the Tomcat code should fix this one too.

No it doesn't I have just checked the code and the issue is still valid.

(see Cipher 13 and Cipher 16 in https://source.jboss.org/changelog/JBossWeb?cs=2509)

I am not convinced, but 11, 12, 13, 14, 15, 16 all look in the same situation to me.

Yes, you are right, for them it is the same, see https://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES

Ok, so it's consistent, which is better. But it is possible the docs is wrong, the Tomcat tests have less failures with the code as is (the said test needs OpenSSL 1.0.1i, while I have 1.0.1e), rather than after the "fix".

It needs to be reviewed again ;)

Note that when trying openssl ciphers it knows those ciphers as EDH ciphers, which is different than what they have in documentation.

As you are saying this can be also bug in their documentation or in openssl code.

Currently our documentation claims that we support openssl syntax as is described in their documentation, with few exceptions, see https://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Administration_and_Configuration_Guide/index.html#SSL_Connector_Reference1


PS: I have also OpenSSL 1.0.1e

I don't plan to do anything right now, since I don't know what will happen.

From my opinion the safest solution would be to allow also aliases for the openssl cipher names as in these case EDH and DHE are in openssl aliases for the same group of ciphers.

From openssl code : 
/* XXX
 * Inconsistency alert:
 * The OpenSSL names of ciphers with ephemeral DH here include the string
 * "DHE", while elsewhere it has always been "EDH".
 * (The alias for the list of all such ciphers also is "EDH".)
 * The specifications speak of "EDH"; maybe we should allow both forms
 * for everything. */

Interesting. I can try to commit upstream a set of aliases and see if there are complaints.