[jboss-jira] [JBoss JIRA] (ELY-647) MechanismDatabase create SSL_ aliases incompletely

Jan Kalina (JIRA) issues at jboss.org
Wed Sep 28 14:32:01 EDT 2016 

     [ https://issues.jboss.org/browse/ELY-647?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina updated ELY-647:
---------------------------
    Description: 
SSL MechanismDatabase should create alias for every TLS_* from SSL_*. It create them only for direct entries, not for other aliases.

MechanismDatabase.properties contains for example:


{code:java}
TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA      = alias:TLS_RSA_WITH_3DES_EDE_CBC_SHA
{code}

The TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA works ok, but SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA doesnt.

  was:
There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK8
Interchange TLS prefix to SSL and vice versa is not supported.

Here is list of standard JSSE Cipher Suite Names
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites

In my opinion this file is mapping file for our purpose. It is?
https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/java/org/wildfly/security/ssl/MechanismDatabase.properties

For IBM JDK are different JSSE Cipher Suite Names (different prefix).
Most items from this list are missing in MechanismDatabase.properties mentioned above.
http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/ciphersuites.html?lang=cs

For example:
JSSE Cipher Suite Name *SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA* is only defined for IBM JDK.
It is *TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA* for Oracle JDK.


If I try start server with JSSE Cipher Suite Name *SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA* I will get this error:
{code}
16:55:25,594 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.lang.Thread.run(Thread.java:785)
Caused by: java.lang.IllegalArgumentException: ELY05017: Token "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA" not allowed at offset 33 of mechanism selection string "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA"
        at org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
        at org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
        at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
        ... 3 more

16:55:25,598 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "undertow"),
    ("server" => "default-server"),
    ("https-listener" => "https")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.listener.https" => "org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
    Caused by: java.lang.IllegalArgumentException: ELY05017: Token \"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\" not allowed at offset 33 of mechanism selection string \"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\""}}
{code}



> MechanismDatabase create SSL_ aliases incompletely
> --------------------------------------------------
>
>                 Key: ELY-647
>                 URL: https://issues.jboss.org/browse/ELY-647
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> SSL MechanismDatabase should create alias for every TLS_* from SSL_*. It create them only for direct entries, not for other aliases.
> MechanismDatabase.properties contains for example:
> {code:java}
> TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA      = alias:TLS_RSA_WITH_3DES_EDE_CBC_SHA
> {code}
> The TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA works ok, but SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA doesnt.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list