[jboss-jira] [JBoss JIRA] Resolved: (JBAS-3150) Cipher attribute in the SSL Connector is ignored

Anil Saldhana (JIRA) jira-events at jboss.com
Mon Sep 18 13:22:50 EDT 2006 

     [ http://jira.jboss.com/jira/browse/JBAS-3150?page=all ]

Anil Saldhana resolved JBAS-3150.
---------------------------------

    Resolution: Rejected

I reject this as a bug for the following reason.

When the user configures a comma-separated list of ciphers, then there are two criteria that are applied to figure out the final cipher suite:

Requested Cipher Suite and the default cipher suite (provided by the JDK SSLSocketFactory)
http://java.sun.com/j2se/1.4.2/docs/api/javax/net/ssl/SSLSocketFactory.html 

So basically, if the user configures:  ciphers = "TEST_DUMMY"
then the request cipher suite is "TEST_DUMMY" where as the default cipher suite can be:
-------------------------------------------------------------------------------------------------------------------------------
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[0]=SSL_RSA_WITH_RC4_128_MD5
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[1]=SSL_RSA_WITH_RC4_128_SHA
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[2]=TLS_RSA_WITH_AES_128_CBC_SHA
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[3]=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[4]=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[5]=SSL_RSA_WITH_3DES_EDE_CBC_SHA
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[6]=SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
2006-09-18 12:05:21,343 ERROR [STDERR] Supported Cipher:[7]=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[8]=SSL_RSA_WITH_DES_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[9]=SSL_DHE_RSA_WITH_DES_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[10]=SSL_DHE_DSS_WITH_DES_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[11]=SSL_RSA_EXPORT_WITH_RC4_40_MD5
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[12]=SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[13]=SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[14]=SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[15]=TLS_RSA_WITH_AES_256_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[16]=TLS_DHE_RSA_WITH_AES_256_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[17]=TLS_DHE_DSS_WITH_AES_256_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[18]=SSL_RSA_WITH_NULL_MD5
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[19]=SSL_RSA_WITH_NULL_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[20]=SSL_DH_anon_WITH_RC4_128_MD5
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[21]=TLS_DH_anon_WITH_AES_128_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[22]=TLS_DH_anon_WITH_AES_256_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[23]=SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[24]=SSL_DH_anon_WITH_DES_CBC_SHA
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[25]=SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
2006-09-18 12:05:21,359 ERROR [STDERR] Supported Cipher:[26]=SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
================================================================================================

Since the request cipher does not exist in the default cipher, the default cipher list applies.

Now, if I configure ciphers = "TEST_DUMMY,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
then the logic would enable such that the final cipher will be restricted to "SSL_RSA_WITH_3DES_EDE_CBC_SHA"

=============================================================
ERROR [STDERR] Cipher:[0]=SSL_RSA_WITH_3DES_EDE_CBC_SHA
=============================================================


===============================================
protected String[] getEnabledCiphers(String arg0, String[] arg1)
   { 
      String[] baseCiphers =  super.getEnabledCiphers(arg0, arg1);
      //Print them out
      int len = baseCiphers != null ? baseCiphers.length: 0;
      
      for(int i = 0; i < len; i++)
      {
         System.err.println("Cipher:["+i+"]=" + baseCiphers[i]);
      }
      return baseCiphers;
   }
================================================


So the behavior is consistent with what is expected.  If the cipher suite
provided does not contain any of the default ciphers supported by the JDK,
then the default ciphers apply.

So in theory, you should have atleast one cipher that is supported by the JDK in your
cipher restriction.




> Cipher attribute in the SSL Connector is ignored
> ------------------------------------------------
>
>                 Key: JBAS-3150
>                 URL: http://jira.jboss.com/jira/browse/JBAS-3150
>             Project: JBoss Application Server
>          Issue Type: Task
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service, Security
>    Affects Versions: JBossAS-4.0.3 SP1, JBossAS-3.2.8.SP1
>            Reporter: Anil Saldhana
>         Assigned To: Anil Saldhana
>             Fix For: JBossAS-4.0.5.GA
>
>
> Please refer to the forum thread for more information.
> Please investigate this issue.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list