1127283 – [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonymous ciphers, should be the opposite (only anonymous ECDH)

Bug 1127283 - [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonymous ciphers, should be the opposite (only anonymous ECDH)

Summary: [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonym...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	DR5
Target Release:	EAP 6.4.0
Assignee:	Rémy Maucherat
QA Contact:	Michael Cada
Docs Contact:
URL:
Whiteboard:
Depends On:	1149776
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-06 14:16 UTC by Radim Hatlapatka
Modified:	2019-08-19 12:43 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:38:29 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
Proposed patch (1.52 KB, patch) 2014-08-06 14:18 UTC, Radim Hatlapatka	no flags	Details \| Diff
View All

Description Radim Hatlapatka 2014-08-06 14:16:33 UTC

Description of problem:
When setting AECDH as cipher string instead of setting anonymous Elliptic Curve Diffie Hellman cipher suites, see [1] sets non anonymous ECDH


Version-Release number of selected component (if applicable): EAP 6.3.0


How reproducible: always


Steps to Reproduce:
1. set as cipher suite AECDH
2. enable debug logging for org.apache.tomcat.util.net.jsse
3. do handshake via openssl s_client
  a) openssl s_client -connect 127.0.0.1:8443 -cipher AECDH
  b) openssl s_client -connect 127.0.0.1:8443 -cipher ALL:COMPLEMENTOFALL


Actual results:
a) handshake fails with enforced AECDH

b) In my case actually used cipher is ECDH-RSA-AES256-SHA384 which is not anonymous ECDH


Expected results:
a) if there are some AECDH ciphers supported in used JDK, handshake is successful
b) the used cipher is one of AECDH ciphers if there are some AECDH ciphers supported in used JDK


Additional info:
AECDH and ECDH requires keystores generated using EC keyalg



[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

Comment 1 Radim Hatlapatka 2014-08-06 14:18:13 UTC

Created attachment 924507 [details]
Proposed patch

Proposed patch

Comment 2 Rémy Maucherat 2014-09-09 14:11:34 UTC

Integrated in web as r2508.

Comment 3 Kabir Khan 2014-10-08 12:17:19 UTC

Should be fixed by component upgrade to 7.5.0.Beta3 1149776

Comment 5 Radim Hatlapatka 2014-10-16 08:06:10 UTC

Verified in EAP 6.4.0.DR5

Note You need to log in before you can comment on or make changes to this bug.