[JBoss JIRA] (ELY-386) Unable to create HTTPS connection when some opnessl cipher suite with DHE are used

Friday, 1 September 2017

     [
https://issues.jboss.org/browse/ELY-386?page=com.atlassian.jira.plugin.sy...
]

Jan Kalina reassigned ELY-386:
------------------------------

    Assignee: Jan Kalina

...
 Unable to create HTTPS connection when some opnessl cipher suite with
DHE are used
 ----------------------------------------------------------------------------------

                 Key: ELY-386
                 URL: https://issues.jboss.org/browse/ELY-386
             Project: WildFly Elytron
          Issue Type: Bug
          Components: SSL
    Affects Versions: 1.0.2.Final
         Environment: Oracle java 1.8.0_66
            Reporter: Martin Choma
            Assignee: Jan Kalina

 Can't configure OpenSSL cipher suites EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA,
DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA [1]
for HTTPS connection. Seems like everlasting problem DHE vs. EDH [2] - these cipher suites
don't work neither in EAP6. IMHO problem is in MechanismDatabase.properties, where
these DHE cipher suite are mapped to openssl EDH cipher suite what contradict openssl
documentation [1]:
 {code}
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   = alias:TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA            = alias:TLS_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       = alias:TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   =
EXP-EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,true,EXP40,false,40,56
 TLS_DHE_RSA_WITH_DES_CBC_SHA            =
EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,false,LOW,false,56,56
 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       =
EDH-RSA-DES-CBC3-SHA,DHE,RSA,3DES,SHA1,SSLv3,false,HIGH,true,168,168
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   =
EXP-EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,true,EXP40,false,40,56
 SSL_DHE_DSS_WITH_DES_CBC_SHA            =
EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       =
EDH-DSS-DES-CBC3-SHA,DHE,DSS,3DES,SHA1,SSLv3,false,HIGH,true,168,168
 {code}
 Note that MechanismDatabase.properties is inconsistent in mapping DHE cipher suites to
openssl cipher suites, as there also exist couple of them which map DHE to DHE, for
example
 {code}
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     =
DHE-RSA-AES128-SHA256,DHE,RSA,AES128,SHA256,TLSv1.2,false,HIGH,true,128,128
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     =
DHE-RSA-AES256-SHA256,DHE,RSA,AES256,SHA256,TLSv1.2,false,HIGH,true,256,256
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     =
DHE-RSA-AES128-GCM-SHA256,DHE,RSA,AES128GCM,AEAD,TLSv1.2,false,HIGH,true,128,128
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     =
DHE-RSA-AES256-GCM-SHA384,DHE,RSA,AES256GCM,AEAD,TLSv1.2,false,HIGH,true,256,256
 {code}
 In MechanismDatabase.properties is also said that
 ??Note that all EDH ciphers automatically get a DHE OpenSSL-style alias (and
vice-versa)??
 I think this JIRA contradict this comment.
 Last thing, based on [1] shouldn't be SSL_DHE_DSS_WITH_DES_CBC_SHA defined as 
 SSL_DHE_DSS_WITH_DES_CBC_SHA            =
DHE-DSS-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
 ?
 [1] https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1123304 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006