Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.3.0.Final, 2.3.0.Beta1, 2.2.20.Final
Affects Version/s: None
Component/s: None
Labels:
None

Git Pull Request:
https://github.com/undertow-io/undertow/pull/1368, https://github.com/undertow-io/undertow/pull/1376

I noticed on a request where my cipher suite was

TLS_AES_128_GCM_SHA256

the key size was being reported as 0. The default method implementation for `calculateKeySize(String cipherSuite)` in the SSLSessionInfo doesn't appear to account for all possible cipher suites, thus the default value is simply 0.

Furthermore, this link from the java doc comment is now a dead link:

     * <p>
     * http://www.thesprawl.org/research/tls-and-ssl-cipher-suites/
     * </p>

Here is a list of all possible ciphers

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

The big issue seems to be that not all cipher suites have the word "WITH_" in them. For example, if Undertow was checking for just "AES_128" and not "WITH_AES_128_", it would have matched my cipher suite.

is caused by

UNDERTOW-29 HttpServletRequest is missing javax.servlet.request.* attributes when request is secure

Resolved

is incorporated by

WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

Closed

WFLY-17017 Upgrade Undertow to 2.3.0.Beta1

Closed

WFCORE-6056 Upgrade Undertow to 2.3.0.Beta1

Closed

WFLY-17107 Upgrade Undertow legacy to 2.2.20.Final

Closed

is related to

UNDERTOW-1787 Issues when undertow is setup behind apache proxy

Resolved

(1 is related to)

Assignee:: Bartosz Baranowski

Reporter:: Brad Wood

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2022/08/03 9:16 PM

Updated:: 2022/11/06 12:31 PM

Resolved:: 2022/09/17 10:43 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates

Hide