Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.1.6.CR1, 7.1.6.GA
Affects Version/s: 7.0.0.ER2 (Beta)
Component/s: Security
Labels:
- test_included

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.z.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1201
Steps to Reproduce:
Hide

1. set undertow to use some of EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA cipher suites based on openssl documentation [1]

<https-listener name="https" enabled-cipher-suites="DHE-RSA-DES-CBC-SHA" security-realm="ciphers-test-realm" socket-binding="https"/>

2. unable to make https connection.
Show
1. set undertow to use some of EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA cipher suites based on openssl documentation [1] <https-listener name= "https" enabled-cipher-suites= "DHE-RSA-DES-CBC-SHA" security-realm= "ciphers-test-realm" socket-binding= "https" /> 2. unable to make https connection.

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Can't configure OpenSSL cipher suites EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA [1] for HTTPS connection. Seems like everlasting problem DHE vs. EDH [2] - these cipher suites don't work neither in EAP6. IMHO problem is in MechanismDatabase.properties, where these DHE cipher suite are mapped to openssl EDH cipher suite what contradict openssl documentation [1]:

SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   = alias:TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA            = alias:TLS_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       = alias:TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   = EXP-EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,true,EXP40,false,40,56
TLS_DHE_RSA_WITH_DES_CBC_SHA            = EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,false,LOW,false,56,56
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       = EDH-RSA-DES-CBC3-SHA,DHE,RSA,3DES,SHA1,SSLv3,false,HIGH,true,168,168

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   = EXP-EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,true,EXP40,false,40,56
SSL_DHE_DSS_WITH_DES_CBC_SHA            = EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       = EDH-DSS-DES-CBC3-SHA,DHE,DSS,3DES,SHA1,SSLv3,false,HIGH,true,168,168

Note that MechanismDatabase.properties is inconsistent in mapping DHE cipher suites to openssl cipher suites, as there also exist couple of them which map DHE to DHE, for example

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     = DHE-RSA-AES128-SHA256,DHE,RSA,AES128,SHA256,TLSv1.2,false,HIGH,true,128,128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     = DHE-RSA-AES256-SHA256,DHE,RSA,AES256,SHA256,TLSv1.2,false,HIGH,true,256,256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     = DHE-RSA-AES128-GCM-SHA256,DHE,RSA,AES128GCM,AEAD,TLSv1.2,false,HIGH,true,128,128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     = DHE-RSA-AES256-GCM-SHA384,DHE,RSA,AES256GCM,AEAD,TLSv1.2,false,HIGH,true,256,256

In MechanismDatabase.properties is also said that

Note that all EDH ciphers automatically get a DHE OpenSSL-style alias (and vice-versa)

I think this JIRA contradict this comment.

Last thing, based on [1] shouldn't be SSL_DHE_DSS_WITH_DES_CBC_SHA defined as
SSL_DHE_DSS_WITH_DES_CBC_SHA = DHE-DSS-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
?

[1] https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1123304

incorporates

ELY-386 Unable to create HTTPS connection when some opnessl cipher suite with DHE are used

Resolved

is incorporated by

JBEAP-15482 (7.1.z) Upgrade Elytron from 1.1.11.Final to 1.1.12.Final

Closed

Assignee:: Ilia Vassilev

Reporter:: Martin Choma

Tester:: Ondrej Kotek

QA Contact:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2015/12/03 3:44 AM

Updated:: 2021/10/07 5:56 PM

Resolved:: 2018/11/28 9:57 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates