Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1282

Unable to create HTTPS connection using *ECDH_RSA* cipher suites / kECDHr cipher string

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • None
    • 1.0.2.Final
    • Security
    • None
    • Hide

      1. set undertow to use some of ECDH_RSA cipher suite 

          <https-listener name="https" enabled-cipher-suites="ECDH-RSA-AES256-SHA" security-realm="ciphers-test-realm" socket-binding="https"/>

      or kECDHr

          <https-listener name="https" enabled-cipher-suites="kECDHr" security-realm="ciphers-test-realm" socket-binding="https"/>

      and set ssl realm 

          <security-realm name="ciphers-test-realm">
        <server-identities>
            <ssl>
                <keystore path="/home/mchoma/workspace/git-repositories/cipher-suite-testsuite/target/classes/ssl/server-cert-key-ec.jks" keystore-password="tomcat" alias="javaserver"/>
            </ssl>
        </server-identities>
    </security-realm>

      2. unable to make https connection.

      Show
      1. set undertow to use some of ECDH_RSA cipher suite <https-listener name= "https" enabled-cipher-suites= "ECDH-RSA-AES256-SHA" security-realm= "ciphers-test-realm" socket-binding= "https" /> or kECDHr <https-listener name= "https" enabled-cipher-suites= "kECDHr" security-realm= "ciphers-test-realm" socket-binding= "https" /> and set ssl realm <security-realm name= "ciphers-test-realm" > <server-identities> <ssl> <keystore path= "/home/mchoma/workspace/git-repositories/cipher-suite-testsuite/target/classes/ssl/server-cert-key-ec.jks" keystore-password= "tomcat" alias= "javaserver" /> </ssl> </server-identities> </security-realm> 2. unable to make https connection.

    Description

      User using these cipher suites / cipher name in EAP6 won't be able to use it in EAP7.
      Setting as critical as these cipher suites, are considered for strong and widely used in my opinion.
      In server log, error "no cipher suites in common" can be seen using -Djavax.net.debug=all.
      Note, that analogous configuration in EAP6 works fine.
      Issue can be seen on Oracle Java only, as on OpenJDK / IBM these suites are not provided by method getDefaultCipherSuites().

      Also is it possible to log "no cipher suites in common" and similar tls handshake errors without -Djavax.net.debug for better troubleshooting?

      Attachments

        1. client_debug_eap6.log
          21 kB
        2. client_debug_eap7.log
          17 kB
        3. server_debug_eap6.log
          39 kB
        4. server_debug_eap7.log
          9 kB
        5. server-cert-key-ec.jks
          0.7 kB

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-2070 Unable to create HTTPS connection using *ECDH_RSA* cipher suites / kECDHr cipher string

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rpelisse@redhat.com Romain Pelisse
              mchoma@redhat.com Martin Choma
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: