Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-793

Using @STRENGTH keyword in CipherSuiteSelector.fromString should cause descending sorting

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.1.0.Beta14
    • Fix Version/s: 1.7.0.CR1
    • Component/s: SSL
    • Labels:
      None
    • Steps to Reproduce:
      Hide
          private static final String[] SUPPORTED_SUITES = new String[] {
              "TLS_RSA_WITH_AES_128_CBC_SHA256",
              "TLS_RSA_WITH_NULL_SHA256",
              "TLS_DH_anon_WITH_AES_128_CBC_SHA256",
              "TLS_ECDH_anon_WITH_NULL_SHA"};
      
          @Test
          public void testStrengthForComplementofallAndAll() {
              CipherSuiteSelector selector = CipherSuiteSelector.fromString("COMPLEMENTOFALL ALL @STRENGTH");
              List<String> selectedSuites = Arrays.asList(selector.evaluate(SUPPORTED_SUITES));
      
              assertThat("All supported suites should be selected", selectedSuites.size() == SUPPORTED_SUITES.length);
              assertThat("High strength suites should be at the beginning", selectedSuites.get(0), is("TLS_RSA_WITH_AES_128_CBC_SHA256"));
          }
      
      Show
      private static final String[] SUPPORTED_SUITES = new String[] { "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_NULL_SHA256", "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "TLS_ECDH_anon_WITH_NULL_SHA"}; @Test public void testStrengthForComplementofallAndAll() { CipherSuiteSelector selector = CipherSuiteSelector.fromString("COMPLEMENTOFALL ALL @STRENGTH"); List<String> selectedSuites = Arrays.asList(selector.evaluate(SUPPORTED_SUITES)); assertThat("All supported suites should be selected", selectedSuites.size() == SUPPORTED_SUITES.length); assertThat("High strength suites should be at the beginning", selectedSuites.get(0), is("TLS_RSA_WITH_AES_128_CBC_SHA256")); }

      Description

      Using @STRENGTH keyword in CipherSuiteSelector.fromString should cause descending sorting of cipher suites, like OpenSSL does, e.g. openssl ciphers -v 'ALL:!ADH:@STRENGTH'. There is comparator in SortByAlgorithmKeyLengthCipherSuiteSelector [1].

      Or, am I wrong? Are cipher suites in javax.net.ssl.SSLParameters expected in ascending order? (Does it matter?) Will the OpenSSL provider expect ascending order? (Or will it parse cipher string itself?)

      The JavaDoc [2] should mention whether the sorting is ascending or descending.

      [1] https://github.com/wildfly-security/wildfly-elytron/blob/7666231fa76b95c3c97eed0d16968a5f77a7de22/src/main/java/org/wildfly/security/ssl/CipherSuiteSelector.java#L730
      [2] https://github.com/wildfly-security/wildfly-elytron/blob/7666231fa76b95c3c97eed0d16968a5f77a7de22/src/main/java/org/wildfly/security/ssl/CipherSuiteSelector.java#L356

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                jucook Justin Cook
                Reporter:
                okotek Ondrej Kotek
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: