Details
-
Bug
-
Resolution: Done
-
Major
-
7.1.0.DR7
Description
I tried to set custom cipher for SSL on the EAP server. I checked via Wireshark what cipher is negotiated between Chrome and EAP server when JSSE is in place and picked that cipher - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
First I checked that my openssl knows it:
$ openssl ciphers | grep ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
Then I set 'openssl.TLS' protocol and enabled only ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher (see 'Steps for reproduction' for more info) and performed request to server both from Chrome 54 and from curl, following exception is printed in server.log:
16:48:30,721 ERROR [org.xnio.listener] (default I/O-6) XNIO001007: A channel event listener threw an exception: java.lang.IllegalStateException: Failed cypher suite ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
at org.wildfly.openssl.OpenSSLEngine.setEnabledCipherSuites(OpenSSLEngine.java:704)
at org.jboss.as.domain.management.security.WrapperSSLContext$WrapperSpi.setSslParams(WrapperSSLContext.java:84)
at org.jboss.as.domain.management.security.WrapperSSLContext$WrapperSpi.engineCreateSSLEngine(WrapperSSLContext.java:78)
at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:361)
at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:139)
at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:56)
at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:289)
at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
Caused by: java.lang.IllegalStateException: error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command
at org.wildfly.openssl.SSLImpl.setCipherSuites0(Native Method)
at org.wildfly.openssl.SSLImpl.setCipherSuites(SSLImpl.java:423)
at org.wildfly.openssl.OpenSSLEngine.setEnabledCipherSuites(OpenSSLEngine.java:702)
... 13 more
Are cipher names ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and ECDHE-RSA-AES128-GCM-SHA256 actually reffering to the same cipher?
My expectation was this configuration should work as both client knows this cipher (Chrome can use it when EAP is using JSSE) and my OpenSSL also lists it among available ciphers (thus I believe EAP with 'openssl.TLS' should also know it). Is there something wrong in my expectation?
Attachments
Issue Links
- is incorporated by
-
JBEAP-6556 (7.1.0) Upgrade to WildFly Core 3.0.0.Alpha12
-
- Verified
-