Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2495

ConfiguredSSL(Server)SocketFactory method getDefaultCipherSuites returns incorrect list of ciphers

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • 1.15.14.Final, 1.20.2.Final, 2.0.0.Final
    • SSL
    • None
    • Hide

      Create a simple java like the one in the description and check that announced default ciphers in the factory are different to the ones really set in the final socket.

      Show
      Create a simple java like the one in the description and check that announced default ciphers in the factory are different to the ones really set in the final socket.

      The classes ConfiguredSSL(Server)SocketFactory in the method getDefaultCipherSuites currently call the delegated factory to return the list of ciphers (for example ConfiguredSSLSocketFactory extends AbstractDelegatingSSLServerSocketFactory which implements this method). This implementation results in something like this:

      SSLContext sslContext = new SSLContextBuilder().setCipherSuiteSelector(CipherSuiteSelector.fromString("AES256-SHA256")).build().create();
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
System.err.println("Default ciphers in factory=" + Arrays.toString(sslSocketFactory.getDefaultCipherSuites()));
SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket();
System.err.println("Actual ciphers in socket=" + Arrays.toString(sslSocket.getEnabledCipherSuites()));

      The output for that is:

      Default ciphers in factory=[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Actual ciphers in socket=[TLS_RSA_WITH_AES_256_CBC_SHA256]

      So the factory is not returning the list of cipher suites which are enabled by default, the final socket is created with a different list of enabled ciphers than the ones stated by the factory. This is because the ciphers in socket are limited by the internal configurator while the default ciphers list is not.

      This is triggering a complicated issue in JBEAP-24221.

            rhn-support-rmartinc Ricardo Martin Camarero
            rhn-support-rmartinc Ricardo Martin Camarero
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: