Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1282

Unable to create HTTPS connection using *ECDH_RSA* cipher suites / kECDHr cipher string

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • 1.0.2.Final
    • Security
    • None
    • Hide

      1. set undertow to use some of ECDH_RSA cipher suite 

          <https-listener name="https" enabled-cipher-suites="ECDH-RSA-AES256-SHA" security-realm="ciphers-test-realm" socket-binding="https"/>

      or kECDHr

          <https-listener name="https" enabled-cipher-suites="kECDHr" security-realm="ciphers-test-realm" socket-binding="https"/>

      and set ssl realm 

          <security-realm name="ciphers-test-realm">
        <server-identities>
            <ssl>
                <keystore path="/home/mchoma/workspace/git-repositories/cipher-suite-testsuite/target/classes/ssl/server-cert-key-ec.jks" keystore-password="tomcat" alias="javaserver"/>
            </ssl>
        </server-identities>
    </security-realm>

      2. unable to make https connection.

      Show
      1. set undertow to use some of ECDH_RSA cipher suite <https-listener name= "https" enabled-cipher-suites= "ECDH-RSA-AES256-SHA" security-realm= "ciphers-test-realm" socket-binding= "https" /> or kECDHr <https-listener name= "https" enabled-cipher-suites= "kECDHr" security-realm= "ciphers-test-realm" socket-binding= "https" /> and set ssl realm <security-realm name= "ciphers-test-realm" > <server-identities> <ssl> <keystore path= "/home/mchoma/workspace/git-repositories/cipher-suite-testsuite/target/classes/ssl/server-cert-key-ec.jks" keystore-password= "tomcat" alias= "javaserver" /> </ssl> </server-identities> </security-realm> 2. unable to make https connection.

      User using these cipher suites / cipher name in EAP6 won't be able to use it in EAP7.
      Setting as critical as these cipher suites, are considered for strong and widely used in my opinion.
      In server log, error "no cipher suites in common" can be seen using -Djavax.net.debug=all.
      Note, that analogous configuration in EAP6 works fine.
      Issue can be seen on Oracle Java only, as on OpenJDK / IBM these suites are not provided by method getDefaultCipherSuites().

      Also is it possible to log "no cipher suites in common" and similar tls handshake errors without -Djavax.net.debug for better troubleshooting?

        1. client_debug_eap6.log
          21 kB
        2. client_debug_eap7.log
          17 kB
        3. server_debug_eap6.log
          39 kB
        4. server_debug_eap7.log
          9 kB
        5. server-cert-key-ec.jks
          0.7 kB

            rpelisse@redhat.com Romain Pelisse
            mchoma@redhat.com Martin Choma
            Ondrej Kotek Ondrej Kotek
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: