Description of problem: There are ciphers which can exist with both SSL and TLS in its name but some JDKs can support only one of those. E.g. when using [1] the java recognizes only SSL variant of DHE_RSA_WITH_3DES_EDE_CBC_SHA => SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA (it doesn't know cipher TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, which results in server not being able to match appropriate cipher when using DHE-RSA-DES-CBC3-SHA as cipher suite name [1] JDK 1.7 with security unlimited java version "1.7.0_51" Java(TM) SE Runtime Environment (build 1.7.0_51-b13) Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
r2509 in web rebases on the Tomcat code since this needs support for alias names. Other fixes and improvements are included in the rebase.
Should be fixed by component upgrade to 7.5.0.Beta3 1149776
Verified with EAP 6.4.0.DR5
When checking with EAP 6.4.0.ER1, I have found that ciphers on IBM JDK have only SSL variant without having TLS variant using [1] which results in "no cipher match" match error for ciphers not having defined alias even though they should be supported on given JDK. E.g. if you define cipher-suite as "AES+SHA" there are multiple ciphers which should match this criteria, nevertheless due being defined as TLS_... without SSL_... as alias the connector fails to start with "no cipher match" error. E.g. one of matching ciphers to "AES+SHA" which is supported on IBM JDK is SSL_RSA_WITH_AES_128_CBC_SHA, and in org.apache.tomcat.util.net.jsse.openssl.Cipher there is only TLS_RSA_WITH_AES_128_CBC_SHA without defined alias to SSL_RSA_WITH_AES_128_CBC_SHA [1] method for getting default vs supported ciphers in used JAVA public static synchronized Set<String> getDefaultCipherSuitesFromJDK() { SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); // String[] cipherSuites = factory.getDefaultCipherSuites(); // for default ciphers String[] cipherSuites = factory.getSupportedCipherSuites(); // for supported ciphers return new HashSet<String>(Arrays.asList(cipherSuites)); }
When retrieving supported ciphers on IBM JDK, there are retrieved only the SSL variants. Thereby on IBM JDK this issue has higher impact => increasing severity.