Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1535

CipherSuiteSelector does not know about CHACHA20_POLY1305

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.7.0.CR2
    • Component/s: SSL
    • Labels:
      None

      Description

      I was trying to be a good person and implement the Mozilla "Modern" cipher suite described here:

      https://wiki.mozilla.org/Security/Server_Side_TLS

      I'm doing this in a keycloak server. The config line there looks like

              <https-listener security-realm="ApplicationRealm"
                              enabled-protocols="SSLv2Hello,TLSv1.2"
                              enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"        
                             name="default"
                             socket-binding="httpish"
                             enable-http2="true"        
                             proxy-address-forwarding="true"        
              />
      

      But I got this:

      13:20:46,574 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.undertow.listener.default: org.jboss.msc.service.StartException in serv
      ice org.wildfly.undertow.listener.default: Failed to start service
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.IllegalArgumentException: ELY05016: Unrecognized token "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" in mechanism selection string "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
              at org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:423)
              at org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:120)
              at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:169)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
      

      With a little digging it appears that CipherSuiteSelector doesn't know what CHACHA20 or POLY1305 are. See:

      https://github.com/wildfly-security/wildfly-elytron/blame/master/src/main/java/org/wildfly/security/ssl/CipherSuiteSelector.java

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                mmazanek Martin Mazanek
                Reporter:
                yoderme Mike Yoder
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: