[JBoss JIRA] (ELY-386) Unable to create HTTPS connection when some opnessl cipher suite with DHE are used

Friday, 1 September 2017

    [
https://issues.jboss.org/browse/ELY-386?page=com.atlassian.jira.plugin.sy...
] 

Jan Kalina commented on ELY-386:
--------------------------------

Problem in *DHE-DSS-CBC-SHA* is there are two OpenSSL names for one standard name:
{code}
TLS_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-DES-CBC-SHA,...
TLS_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-CBC-SHA,...
{code}
We would need to implement aliases for OSSL names (currectly we have aliases only for
stdNames), or at least to allow more entries for one stdName (which currently causes
warning and ignore second definition).

[~dmlloyd] Do we want to support both OSSL names for TLS_DHE_DSS_WITH_DES_CBC_SHA? It
looks like most of projects supports only one of this names.

...
 Unable to create HTTPS connection when some opnessl cipher suite with
DHE are used
 ----------------------------------------------------------------------------------

                 Key: ELY-386
                 URL: https://issues.jboss.org/browse/ELY-386
             Project: WildFly Elytron
          Issue Type: Bug
          Components: SSL
    Affects Versions: 1.0.2.Final
         Environment: Oracle java 1.8.0_66
            Reporter: Martin Choma
            Assignee: Jan Kalina

 Can't configure OpenSSL cipher suites EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA,
DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA [1]
for HTTPS connection. Seems like everlasting problem DHE vs. EDH [2] - these cipher suites
don't work neither in EAP6. IMHO problem is in MechanismDatabase.properties, where
these DHE cipher suite are mapped to openssl EDH cipher suite what contradict openssl
documentation [1]:
 {code}
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   = alias:TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA            = alias:TLS_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       = alias:TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   =
EXP-EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,true,EXP40,false,40,56
 TLS_DHE_RSA_WITH_DES_CBC_SHA            =
EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,false,LOW,false,56,56
 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       =
EDH-RSA-DES-CBC3-SHA,DHE,RSA,3DES,SHA1,SSLv3,false,HIGH,true,168,168
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   =
EXP-EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,true,EXP40,false,40,56
 SSL_DHE_DSS_WITH_DES_CBC_SHA            =
EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       =
EDH-DSS-DES-CBC3-SHA,DHE,DSS,3DES,SHA1,SSLv3,false,HIGH,true,168,168
 {code}
 Note that MechanismDatabase.properties is inconsistent in mapping DHE cipher suites to
openssl cipher suites, as there also exist couple of them which map DHE to DHE, for
example
 {code}
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     =
DHE-RSA-AES128-SHA256,DHE,RSA,AES128,SHA256,TLSv1.2,false,HIGH,true,128,128
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     =
DHE-RSA-AES256-SHA256,DHE,RSA,AES256,SHA256,TLSv1.2,false,HIGH,true,256,256
 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     =
DHE-RSA-AES128-GCM-SHA256,DHE,RSA,AES128GCM,AEAD,TLSv1.2,false,HIGH,true,128,128
 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     =
DHE-RSA-AES256-GCM-SHA384,DHE,RSA,AES256GCM,AEAD,TLSv1.2,false,HIGH,true,256,256
 {code}
 In MechanismDatabase.properties is also said that
 ??Note that all EDH ciphers automatically get a DHE OpenSSL-style alias (and
vice-versa)??
 I think this JIRA contradict this comment.
 Last thing, based on [1] shouldn't be SSL_DHE_DSS_WITH_DES_CBC_SHA defined as 
 SSL_DHE_DSS_WITH_DES_CBC_SHA            =
DHE-DSS-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
 ?
 [1] https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1123304 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006