Bug 1127283 - [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonymous ciphers, should be the opposite (only anonymous ECDH)
Summary: [openssl syntax with JSSE] AECDH cipher string behaves as ECDH without anonym...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: DR5
: EAP 6.4.0
Assignee: Rémy Maucherat
QA Contact: Michael Cada
URL:
Whiteboard:
Depends On: 1149776
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-06 14:16 UTC by Radim Hatlapatka
Modified: 2019-08-19 12:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:38:29 UTC
Type: Bug


Attachments (Terms of Use)
Proposed patch (1.52 KB, patch)
2014-08-06 14:18 UTC, Radim Hatlapatka
no flags Details | Diff

Description Radim Hatlapatka 2014-08-06 14:16:33 UTC
Description of problem:
When setting AECDH as cipher string instead of setting anonymous Elliptic Curve Diffie Hellman cipher suites, see [1] sets non anonymous ECDH


Version-Release number of selected component (if applicable): EAP 6.3.0


How reproducible: always


Steps to Reproduce:
1. set as cipher suite AECDH
2. enable debug logging for org.apache.tomcat.util.net.jsse
3. do handshake via openssl s_client
  a) openssl s_client -connect 127.0.0.1:8443 -cipher AECDH
  b) openssl s_client -connect 127.0.0.1:8443 -cipher ALL:COMPLEMENTOFALL


Actual results:
a) handshake fails with enforced AECDH

b) In my case actually used cipher is ECDH-RSA-AES256-SHA384 which is not anonymous ECDH


Expected results:
a) if there are some AECDH ciphers supported in used JDK, handshake is successful
b) the used cipher is one of AECDH ciphers if there are some AECDH ciphers supported in used JDK


Additional info:
AECDH and ECDH requires keystores generated using EC keyalg



[1] https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS

Comment 1 Radim Hatlapatka 2014-08-06 14:18:13 UTC
Created attachment 924507 [details]
Proposed patch

Proposed patch

Comment 2 Rémy Maucherat 2014-09-09 14:11:34 UTC
Integrated in web as r2508.

Comment 3 Kabir Khan 2014-10-08 12:17:19 UTC
Should be fixed by component upgrade to 7.5.0.Beta3 1149776

Comment 5 Radim Hatlapatka 2014-10-16 08:06:10 UTC
Verified in EAP 6.4.0.DR5


Note You need to log in before you can comment on or make changes to this bug.