Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006067 [Resin] minor always 07-05-17 05:30 07-05-17 15:20
Reporter stbu View Status public  
Assigned To ferg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.54 Product Version 4.0.53
  Product Build
Summary 0006067: JSSE-SSL: <honor-cipher-order> ignored
Description With Caucho Resin 4.0.46 the support for honor-cipher-order in <jsse-ssl> has been added (0005939).
This feature requires JDK 1.8, but it hasn't been working although I am running JDK 1.8 with the JCE Unlimited Strength Jurisdiction Policy Files:

      <http address="*" port="${https_port}">
        <jsse-ssl>
          <key-store-file>XXX</key-store-file>
          <password>XXX</password>
          <protocol>TLSv1,TLSv1.1,TLSv1.2</protocol>
          <cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suites>
          <honor-cipher-order>true</honor-cipher-order>
        </jsse-ssl>
      </http>

It can be tested by entering such configured site in for example the SSL Labs tool (https://www.ssllabs.com/ssltest/analyze.html) [^] or with the very nice Bash script from https://testssl.sh/ [^]

In SSL Labs you'll see on the "Cipher Suites" Section:
# TLS 1.2 (server has no preference)

Or for example when downloading https://testssl.sh/testssl.sh [^]
user@host $ ./testssl.sh -P localhost:8443
..
 Testing server preferences

 Has server cipher order? nope (NOT ok)
 Negotiated protocol TLSv1.2
 Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 521 bit ECDH (limited sense as client will pick)
 Negotiated cipher per proto (limited sense as client will pick)
     ECDHE-RSA-AES256-SHA: TLSv1, TLSv1.1
     ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2
 No further cipher order check has been done as order is determined by the client
Steps To Reproduce
Additional Information I have a bugfix for this that requires just one additional line in "com/caucho/vfs/JsseSSLFactory.java" in Method "setHonorCipherOrder(SSLServerSocket serverSocket)"

Below is this method with my addition (see comment // Crucial, otherwise no effect)

  private void setHonorCipherOrder(SSLServerSocket serverSocket)
  {
    if (_isHonorCipherOrder == null)
      return;

    if (_honorCipherOrderMethod == null)
      return;

    try {
      SSLParameters params
        = (SSLParameters) _getSSLParametersMethod.invoke(serverSocket);

      _honorCipherOrderMethod.invoke(params, _isHonorCipherOrder);
      serverSocket.setSSLParameters(params); // Crucial, otherwise no effect

      log.log(Level.FINER, L.l("setting honor-cipher-order {0}",
                               _isHonorCipherOrder));
    } catch (Throwable t) {
      log.log(Level.WARNING, t.getMessage(), t);
    }
  }
  
  
  
See also:
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html [^]
"SSLParameters can be applied to a connection via the methods ... and SSLServerSocket.setSSLParameters() and ..."



With this fix, the server cipher order is working:

user@host $ ./testssl.sh -P localhost:8443
..
 Testing server preferences

 Has server cipher order? yes (OK)
 Negotiated protocol TLSv1.2
 Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH
 Cipher order
    TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA
    TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA
    TLSv1.2: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256
Attached Files

- Relationships

- Notes
(0006761)
ferg
07-05-17 15:20

network/0532
 

- Issue History
Date Modified Username Field Change
07-05-17 05:30 stbu New Issue
07-05-17 05:30 stbu Issue Monitored: stbu
07-05-17 07:08 paru Issue Monitored: paru
07-05-17 15:20 ferg Note Added: 0006761
07-05-17 15:20 ferg Assigned To  => ferg
07-05-17 15:20 ferg Status new => closed
07-05-17 15:20 ferg Resolution open => fixed
07-05-17 15:20 ferg Fixed in Version  => 4.0.54


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
33 total queries executed.
28 unique queries executed.
Powered by Mantis Bugtracker