| Anonymous | Login | Signup for a new account | 04-19-2024 04:24 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0006067 | [Resin] | minor | always | 07-05-17 05:30 | 07-05-17 15:20 | ||||
| Reporter | stbu | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | 4.0.53 | ||||||
| Summary | 0006067: JSSE-SSL: <honor-cipher-order> ignored | ||||||||
| Description |
With Caucho Resin 4.0.46 the support for honor-cipher-order in <jsse-ssl> has been added (0005939). This feature requires JDK 1.8, but it hasn't been working although I am running JDK 1.8 with the JCE Unlimited Strength Jurisdiction Policy Files: <http address="*" port="${https_port}"> <jsse-ssl> <key-store-file>XXX</key-store-file> <password>XXX</password> <protocol>TLSv1,TLSv1.1,TLSv1.2</protocol> <cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</cipher-suites> <honor-cipher-order>true</honor-cipher-order> </jsse-ssl> </http> It can be tested by entering such configured site in for example the SSL Labs tool (https://www.ssllabs.com/ssltest/analyze.html) [^] or with the very nice Bash script from https://testssl.sh/ [^] In SSL Labs you'll see on the "Cipher Suites" Section: # TLS 1.2 (server has no preference) Or for example when downloading https://testssl.sh/testssl.sh [^] user@host $ ./testssl.sh -P localhost:8443 .. Testing server preferences Has server cipher order? nope (NOT ok) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-AES256-GCM-SHA384, 521 bit ECDH (limited sense as client will pick) Negotiated cipher per proto (limited sense as client will pick) ECDHE-RSA-AES256-SHA: TLSv1, TLSv1.1 ECDHE-RSA-AES256-GCM-SHA384: TLSv1.2 No further cipher order check has been done as order is determined by the client |
||||||||
| Additional Information |
I have a bugfix for this that requires just one additional line in "com/caucho/vfs/JsseSSLFactory.java" in Method "setHonorCipherOrder(SSLServerSocket serverSocket)" Below is this method with my addition (see comment // Crucial, otherwise no effect) private void setHonorCipherOrder(SSLServerSocket serverSocket) { if (_isHonorCipherOrder == null) return; if (_honorCipherOrderMethod == null) return; try { SSLParameters params = (SSLParameters) _getSSLParametersMethod.invoke(serverSocket); _honorCipherOrderMethod.invoke(params, _isHonorCipherOrder); serverSocket.setSSLParameters(params); // Crucial, otherwise no effect log.log(Level.FINER, L.l("setting honor-cipher-order {0}", _isHonorCipherOrder)); } catch (Throwable t) { log.log(Level.WARNING, t.getMessage(), t); } } See also: https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html [^] "SSLParameters can be applied to a connection via the methods ... and SSLServerSocket.setSSLParameters() and ..." With this fix, the server cipher order is working: user@host $ ./testssl.sh -P localhost:8443 .. Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-AES128-GCM-SHA256, 521 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA TLSv1.2: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 |
||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0006761) ferg 07-05-17 15:20 |
network/0532 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 07-05-17 05:30 | stbu | New Issue | |
| 07-05-17 05:30 | stbu | Issue Monitored: stbu | |
| 07-05-17 07:08 | paru | Issue Monitored: paru | |
| 07-05-17 15:20 | ferg | Note Added: 0006761 | |
| 07-05-17 15:20 | ferg | Assigned To | => ferg |
| 07-05-17 15:20 | ferg | Status | new => closed |
| 07-05-17 15:20 | ferg | Resolution | open => fixed |
| 07-05-17 15:20 | ferg | Fixed in Version | => 4.0.54 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
33 total queries executed. 28 unique queries executed. |  |
