Bug 1127283 - [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonymous ciphers, should be the opposite (only anonymous ECDH)
Summary: [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonym...
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: DR5
: EAP 6.4.0
Assignee: Rémy Maucherat
QA Contact: Michael Cada
Depends On: 1149776
TreeView+ depends on / blocked
Reported: 2014-08-06 14:16 UTC by Radim Hatlapatka
Modified: 2019-08-19 12:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-08-19 12:38:29 UTC
Type: Bug

Attachments (Terms of Use)
Proposed patch (1.52 KB, patch)
2014-08-06 14:18 UTC, Radim Hatlapatka
no flags Details | Diff

Description Radim Hatlapatka 2014-08-06 14:16:33 UTC
Description of problem:
When setting AECDH as cipher string instead of setting anonymous Elliptic Curve Diffie Hellman cipher suites, see [1] sets non anonymous ECDH

Version-Release number of selected component (if applicable): EAP 6.3.0

How reproducible: always

Steps to Reproduce:
1. set as cipher suite AECDH
2. enable debug logging for org.apache.tomcat.util.net.jsse
3. do handshake via openssl s_client
  a) openssl s_client -connect -cipher AECDH
  b) openssl s_client -connect -cipher ALL:COMPLEMENTOFALL

Actual results:
a) handshake fails with enforced AECDH

b) In my case actually used cipher is ECDH-RSA-AES256-SHA384 which is not anonymous ECDH

Expected results:
a) if there are some AECDH ciphers supported in used JDK, handshake is successful
b) the used cipher is one of AECDH ciphers if there are some AECDH ciphers supported in used JDK

Additional info:
AECDH and ECDH requires keystores generated using EC keyalg

[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

Comment 1 Radim Hatlapatka 2014-08-06 14:18:13 UTC
Created attachment 924507 [details]
Proposed patch

Proposed patch

Comment 2 Rémy Maucherat 2014-09-09 14:11:34 UTC
Integrated in web as r2508.

Comment 3 Kabir Khan 2014-10-08 12:17:19 UTC
Should be fixed by component upgrade to 7.5.0.Beta3 1149776

Comment 5 Radim Hatlapatka 2014-10-16 08:06:10 UTC
Verified in EAP 6.4.0.DR5

Note You need to log in before you can comment on or make changes to this bug.