Bug 1123356 - Unable to define single cipher using JSSE syntax
Summary: Unable to define single cipher using JSSE syntax
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: DR7
: EAP 6.4.0
Assignee: Emmanuel Hugonnet (ehsavoie)
QA Contact: Michael Cada
URL:
Whiteboard:
Depends On: 1123342 1131810 1149776
Blocks: 1166610
TreeView+ depends on / blocked
 
Reported: 2014-07-25 12:17 UTC by Radim Hatlapatka
Modified: 2019-08-19 12:45 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1166610 (view as bug list)
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)
Fix for the issue (1.97 KB, patch)
2014-10-21 14:21 UTC, Emmanuel Hugonnet (ehsavoie)
no flags Details | Diff

Description Radim Hatlapatka 2014-07-25 12:17:59 UTC
Description of problem:
In case when openssl converter for JSSE syntax doesn't know the specified cipher, the cipher isn't recognized even when it is enabled in used JVM.


Version-Release number of selected component (if applicable): 6.3.0.ER10


How reproducible: always


Steps to Reproduce:
1. start EAP with https connector including ssl configuration
2. set the cipher-suite to SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA (this cipher is checked to be enabled in [1] by default)

Actual results: server doesn't start due BZ#1123342 causing openssl syntax parser doesn't recognized the cipher


Expected results: server starts as it is valid JSSE cipher name in the running JDK

Additional info:
setting twice the cipher name separated by comma results in usage of JSSE without openssl syntax parser which makes the server start correctly
(cipher-suite="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA")


[1]
 JDK 1.7 with security unlimited
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

Comment 1 Rémy Maucherat 2014-09-22 14:56:08 UTC
So with the alias feature from the Tomcat rebase, this is supposed to be fixed once a new web build is integrated.

Comment 2 Kabir Khan 2014-10-08 12:17:07 UTC
Should be fixed by component upgrade to 7.5.0.Beta3 1149776

Comment 3 Radim Hatlapatka 2014-10-21 07:51:08 UTC
Checked with EAP 6.4.0.DR6 and the issue is still valid.

Note the issue is in org.apache.tomcat.util.net.jsse.JSSEUtils#resolveEnabledCipherSuite

there is condition if (cipherSuites.length == 1) { // process as openssl syntax }

Comment 4 Radim Hatlapatka 2014-10-21 08:25:08 UTC
After looking into it a little bit more, the support for aliases doesn't fix this as no parsing is done based on the provided JSSE aliases (the JSSE aliases are only used as result of the enabled ciphers based on recognized ciphers during parsing)

Comment 5 Rémy Maucherat 2014-10-21 13:11:48 UTC
Ok, I tried the reproducer, but the corresponding cipher might have been available in my OpenSSL, so the alias fixed it. Or I did something wrong.

Comment 6 Emmanuel Hugonnet (ehsavoie) 2014-10-21 14:18:54 UTC
I've a fix for it.

Comment 7 Emmanuel Hugonnet (ehsavoie) 2014-10-21 14:21:29 UTC
Created attachment 948975 [details]
Fix for the issue

Fix

Comment 8 Rémy Maucherat 2014-10-21 14:37:55 UTC
Commited as r2527 in web. Thanks !

Comment 9 Radim Hatlapatka 2014-10-30 07:44:17 UTC
Verified in EAP 6.4.0.DR7


Note You need to log in before you can comment on or make changes to this bug.