Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-438

There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 1.0.3.Final, 1.1.0.Beta8
    • None
    • SSL
    • None
      1. Use standalone.xml from attachment
      2. update path to keystore (server-cert-key-rsa.jks)
      3. update path to trust store (ca-cert.jks)

      There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK8
      Interchange TLS prefix to SSL and vice versa is not supported.

      Here is list of standard JSSE Cipher Suite Names
      http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites

      In my opinion this file is mapping file for our purpose. It is?
      https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/java/org/wildfly/security/ssl/MechanismDatabase.properties

      For IBM JDK are different JSSE Cipher Suite Names (different prefix).
      Most items from this list are missing in MechanismDatabase.properties mentioned above.
      http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/ciphersuites.html?lang=cs

      For example:
      JSSE Cipher Suite Name SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA is only defined for IBM JDK.
      It is TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA for Oracle JDK.

      If I try start server with JSSE Cipher Suite Name SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA I will get this error:

      16:55:25,594 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
              at java.lang.Thread.run(Thread.java:785)
      Caused by: java.lang.IllegalArgumentException: ELY05017: Token "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA" not allowed at offset 33 of mechanism selection string "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA"
              at org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
              at org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
              at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
              ... 3 more
      
      16:55:25,598 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "undertow"),
          ("server" => "default-server"),
          ("https-listener" => "https")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.listener.https" => "org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
          Caused by: java.lang.IllegalArgumentException: ELY05017: Token \"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\" not allowed at offset 33 of mechanism selection string \"SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA\""}}
      

              darran.lofthouse@redhat.com Darran Lofthouse
              hsvabek_jira Hynek Švábek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: