0005682: unknown protocol value '-all +tlsv1.1'

5682

minor

always

03-10-14 09:37

09-10-14 16:03

Reporter:

alex

Platform:

Assigned To:

ferg

OS:

Priority:

normal

OS Version:

Status:

closed

Product Version:

4.0.38

Product Build:

Resolution:

fixed

Projection:

none

ETA:

none

Fixed in Version:

4.0.41

Summary:

0005682: unknown protocol value '-all +tlsv1.1'

Description:

rep by:

Sarah Gillespie

com.caucho.vfs.OpenSSLFactory.setProtocol(): unknown protocol value '-all +tlsv1.1'

I've tried tlsv1.1, tlsv1_1 and tlsv11, it seems that resin needs to explicitly allow the protocols, which would be tlsv1.1 and tlsv1.2.

In addition, and on a related subject, it would be really nice if resin supported the elliptical curve tlsv1.2 ciphers with your RPMs, I believe it would just require rebuilding your RPMs on a recent version of centos/redhat which have only had support for the elliptical curve ciphers since October:

https://bugzilla.redhat.com/show_bug.cgi?id=319901 [^]

This has been in centos/rhel since 6.5 (released December).

Right now we have an openssl which supports ECDH and ECDHE:

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1

ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384

And a cipher string that supports this:

AES128-SHA256:AES256
SHA256:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:AES128-GCM-SHA256:AES256-GCM-SHA384:!3DES:!KRB5:!MD5:!EXP:!PSK:!SRP:!DSS:!eNULL:!aNULL

But the server is only using the non-elliptical curve key exchange mechanisms:

     Preferred Cipher Suite:
       AES128-SHA256 128 bits HTTP 200 OK

     Accepted Cipher Suite(s):
       AES256-SHA256 256 bits HTTP 200 OK
       AES256-GCM-SHA384 256 bits HTTP 200 OK
       AES128-SHA256 128 bits HTTP 200 OK
       AES128-GCM-SHA256 128 bits HTTP 200 OK

Steps To Reproduce:

Additional Information:

Relationships

Attached Files:

Mantis - Resin
Viewing Issue Advanced Details

ID:	Category:	Severity:	Reproducibility:	Date Submitted:	Last Update:
5682		minor	always	03-10-14 09:37	09-10-14 16:03

Reporter:	alex	Platform:
Assigned To:	ferg	OS:
Priority:	normal	OS Version:
Status:	closed	Product Version:	4.0.38
Product Build:		Resolution:	fixed
Projection:	none
ETA:	none	Fixed in Version:	4.0.41

Summary:	0005682: unknown protocol value '-all +tlsv1.1'
Description:	rep by: Sarah Gillespie com.caucho.vfs.OpenSSLFactory.setProtocol(): unknown protocol value '-all +tlsv1.1' I've tried tlsv1.1, tlsv1_1 and tlsv11, it seems that resin needs to explicitly allow the protocols, which would be tlsv1.1 and tlsv1.2. In addition, and on a related subject, it would be really nice if resin supported the elliptical curve tlsv1.2 ciphers with your RPMs, I believe it would just require rebuilding your RPMs on a recent version of centos/redhat which have only had support for the elliptical curve ciphers since October: https://bugzilla.redhat.com/show_bug.cgi?id=319901 [^] This has been in centos/rhel since 6.5 (released December). Right now we have an openssl which supports ECDH and ECDHE: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 And a cipher string that supports this: AES128-SHA256:AES256 SHA256:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:AES128-GCM-SHA256:AES256-GCM-SHA384:!3DES:!KRB5:!MD5:!EXP:!PSK:!SRP:!DSS:!eNULL:!aNULL But the server is only using the non-elliptical curve key exchange mechanisms: Preferred Cipher Suite: AES128-SHA256 128 bits HTTP 200 OK Accepted Cipher Suite(s): AES256-SHA256 256 bits HTTP 200 OK AES256-GCM-SHA384 256 bits HTTP 200 OK AES128-SHA256 128 bits HTTP 200 OK AES128-GCM-SHA256 128 bits HTTP 200 OK
Steps To Reproduce:
Additional Information:
Relationships
Attached Files: