Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-2125

[QE](7.1.z) ELY-386 - Unable to create HTTPS connection when some opnessl cipher suite with DHE are used

    XMLWordPrintable

Details

    • Hide

      1. set undertow to use some of EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA cipher suites based on openssl documentation [1]

          <https-listener name="https" enabled-cipher-suites="DHE-RSA-DES-CBC-SHA" security-realm="ciphers-test-realm" socket-binding="https"/>

      2. unable to make https connection.

      Show
      1. set undertow to use some of EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA cipher suites based on openssl documentation [1] <https-listener name= "https" enabled-cipher-suites= "DHE-RSA-DES-CBC-SHA" security-realm= "ciphers-test-realm" socket-binding= "https" /> 2. unable to make https connection.

    Description

      Can't configure OpenSSL cipher suites EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA [1] for HTTPS connection. Seems like everlasting problem DHE vs. EDH [2] - these cipher suites don't work neither in EAP6. IMHO problem is in MechanismDatabase.properties, where these DHE cipher suite are mapped to openssl EDH cipher suite what contradict openssl documentation [1]:

      SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   = alias:TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA            = alias:TLS_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       = alias:TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   = EXP-EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,true,EXP40,false,40,56
TLS_DHE_RSA_WITH_DES_CBC_SHA            = EDH-RSA-DES-CBC-SHA,DHE,RSA,DES,SHA1,SSLv3,false,LOW,false,56,56
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       = EDH-RSA-DES-CBC3-SHA,DHE,RSA,3DES,SHA1,SSLv3,false,HIGH,true,168,168

SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   = EXP-EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,true,EXP40,false,40,56
SSL_DHE_DSS_WITH_DES_CBC_SHA            = EDH-DSS-DES-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA       = EDH-DSS-DES-CBC3-SHA,DHE,DSS,3DES,SHA1,SSLv3,false,HIGH,true,168,168

      Note that MechanismDatabase.properties is inconsistent in mapping DHE cipher suites to openssl cipher suites, as there also exist couple of them which map DHE to DHE, for example

      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     = DHE-RSA-AES128-SHA256,DHE,RSA,AES128,SHA256,TLSv1.2,false,HIGH,true,128,128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     = DHE-RSA-AES256-SHA256,DHE,RSA,AES256,SHA256,TLSv1.2,false,HIGH,true,256,256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     = DHE-RSA-AES128-GCM-SHA256,DHE,RSA,AES128GCM,AEAD,TLSv1.2,false,HIGH,true,128,128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384     = DHE-RSA-AES256-GCM-SHA384,DHE,RSA,AES256GCM,AEAD,TLSv1.2,false,HIGH,true,256,256

      In MechanismDatabase.properties is also said that

      Note that all EDH ciphers automatically get a DHE OpenSSL-style alias (and vice-versa)

      I think this JIRA contradict this comment.

      Last thing, based on [1] shouldn't be SSL_DHE_DSS_WITH_DES_CBC_SHA defined as
      SSL_DHE_DSS_WITH_DES_CBC_SHA = DHE-DSS-CBC-SHA,DHE,DSS,DES,SHA1,SSLv3,false,LOW,false,56,56
      ?

      [1] https://www.openssl.org/docs/manmaster/apps/ciphers.html#CIPHER-SUITE-NAMES
      [2] https://bugzilla.redhat.com/show_bug.cgi?id=1123304

      Attachments

        Issue Links

          incorporates

          Bug - A problem that impairs or prevents the functions of the product. ELY-386 Unable to create HTTPS connection when some opnessl cipher suite with DHE are used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-15482 (7.1.z) Upgrade Elytron from 1.1.11.Final to 1.1.12.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: