[
https://issues.jboss.org/browse/ELY-438?page=com.atlassian.jira.plugin.sy...
]
Hynek Švábek updated ELY-438:
-----------------------------
Description:
There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK8
Interchange TLS prefix to SSL and vice versa is not supported.
Here is list of standard JSSE Cipher Suite Names
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNa...
In my opinion this file is mapping file for our purpose. It is?
https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/...
For IBM JDK are different JSSE Cipher Suite Names (different prefix).
Most items from this list are missing in MechanismDatabase.properties mentioned above.
http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.secu...
For example:
JSSE Cipher Suite Name *SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA* is only defined for IBM JDK.
It is *TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA* for Oracle JDK.
If I try start server with JSSE Cipher Suite Name *SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA* I
will get this error:
{code}
16:55:25,594 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed
to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in
service jboss.undertow.listener.https: Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.lang.IllegalArgumentException: ELY05017: Token
"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA" not allowed at offset 33 of mechanism
selection string "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA"
at
org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
at
org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
... 3 more
16:55:25,598 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread)
WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("https-listener" => "https")
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"jboss.undertow.listener.https" =>
"org.jboss.msc.service.StartException in service jboss.undertow.listener.https:
Failed to start service
Caused by: java.lang.IllegalArgumentException: ELY05017: Token
\"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\" not allowed at offset 33 of mechanism
selection string \"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\""}}
{code}
was:
There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK8
Interchange TLS prefix to SSL and vice versa is not supported.
Here is list of standard JSSE Cipher Suite Names
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNa...
In my opinion this file is mapping file for our purpose. It is?
https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/...
For IBM JDK are different JSSE Cipher Suite Names (different prefix).
Most items from this list are missing in MechanismDatabase.properties mentioned above.
http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.secu...
For example:
JSSE Cipher Suite Name *SSL_ECDH_RSA_WITH_AES_128_CBC_SHA* is only defined for IBM JDK.
It is *TLS_ECDH_RSA_WITH_AES_128_CBC_SHA* for Oracle JDK.
If I try start server with JSSE Cipher Suite Name *SSL_ECDH_RSA_WITH_AES_128_CBC_SHA* I
will get this error:
{code}
16:55:25,594 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed
to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in
service jboss.undertow.listener.https: Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.lang.IllegalArgumentException: ELY05017: Token
"SSL_ECDH_RSA_WITH_AES_128_CBC_SHA" not allowed at offset 33 of mechanism
selection string "SSL_ECDH_RSA_WITH_AES_128_CBC_SHA"
at
org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
at
org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
... 3 more
16:55:25,598 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread)
WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("https-listener" => "https")
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"jboss.undertow.listener.https" =>
"org.jboss.msc.service.StartException in service jboss.undertow.listener.https:
Failed to start service
Caused by: java.lang.IllegalArgumentException: ELY05017: Token
\"SSL_ECDH_RSA_WITH_AES_128_CBC_SHA\" not allowed at offset 33 of mechanism
selection string \"SSL_ECDH_RSA_WITH_AES_128_CBC_SHA\""}}
{code}
There is not possibility to use alternative JSSE Cipher Suite Names
for IBM JDK
-------------------------------------------------------------------------------
Key: ELY-438
URL:
https://issues.jboss.org/browse/ELY-438
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Reporter: Hynek Švábek
Assignee: Darran Lofthouse
Priority: Critical
Fix For: 1.1.0.CR1, 1.0.3.CR1
There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK8
Interchange TLS prefix to SSL and vice versa is not supported.
Here is list of standard JSSE Cipher Suite Names
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNa...
In my opinion this file is mapping file for our purpose. It is?
https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/...
For IBM JDK are different JSSE Cipher Suite Names (different prefix).
Most items from this list are missing in MechanismDatabase.properties mentioned above.
http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.secu...
For example:
JSSE Cipher Suite Name *SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA* is only defined for IBM JDK.
It is *TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA* for Oracle JDK.
If I try start server with JSSE Cipher Suite Name *SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA* I
will get this error:
{code}
16:55:25,594 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001:
Failed to start service jboss.undertow.listener.https:
org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to
start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.lang.IllegalArgumentException: ELY05017: Token
"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA" not allowed at offset 33 of mechanism
selection string "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA"
at
org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
at
org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
at
org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
... 3 more
16:55:25,598 ERROR [org.jboss.as.controller.management-operation] (Controller Boot
Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("https-listener" => "https")
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"jboss.undertow.listener.https" =>
"org.jboss.msc.service.StartException in service jboss.undertow.listener.https:
Failed to start service
Caused by: java.lang.IllegalArgumentException: ELY05017: Token
\"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\" not allowed at offset 33 of mechanism
selection string \"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\""}}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)