You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Minaroviech, Jan" <Ja...@external.t-mobile.at> on 2014/10/10 21:12:50 UTC

no way to tell jetty ciphers to use?

Hello,

I have non-spring application, where I try to deploy service with ssl using jetty. I have CXF 2.7.12.

So basically I do:

==== server code =====
TLSServerParameters tlsParams = new TLSServerParameters();
tlsParams.setKeyManagers(km);
tlsParams.setTrustManagers(tm);
tlsParams.setCipherSuitesFilter(getFilter());

                // this is for testing only, later you see why
filter.getInclude().add(".*");
filter.getExclude().add(".*_DH_anon_.*");

JettyHTTPServerEngineFactory factory = new JettyHTTPServerEngineFactory();
factory.setTLSServerParametersForPort(port, tlsParams);

JaxWsServerFactoryBean svrFactory = new JaxWsServerFactoryBean();
.... configuration
svrFactory.create();

==== client code =====
Problem is that when I have CXF client (same version), which has filter configured as
filter.getInclude().add(".*_EXPORT_.*");
filter.getInclude().add(".*_EXPORT1024_.*");
filter.getInclude().add(".*_WITH_DES_.*");
filter.getInclude().add(".*_WITH_NULL_.*");
filter.getExclude().add(".*_DH_anon_.*");

this client is unable to connect because "no cipher suites in common"
In addition if I try to use on server side same ciphers as are described above for client, then I get errors:
No available cipher suite for SSLv2Hello
No available cipher suite for SSLv3
No available cipher suite for TLSv1
No available cipher suite for TLSv1.1
No available cipher suite for TLSv1.2

Digging into code I realized, that lots of ciphers are supported, but sslcontext has only only apporx half of them enabled as default and intersection with client supported ones is empty :(
Btw. Same problem I had with tomcat7, hence I had to explicitly define ciphers in ssl connector.

==== server code =====
For jetty I wanted to add cipher suites as well. So I tried to call:
tlsParams.setCipherSuites(Arrays.asList("SSL_RSA_WITH_NULL_SHA"));

However this seems to be missused:
In org.apache.cxf.transport.https_jetty. CXFJettySslSocketConnector.createSSLContext() there is code:
        String[] cs =
            SSLUtils.getCiphersuites(
                    cipherSuites,
                    SSLUtils.getServerSupportedCipherSuites(context),
                    cipherSuitesFilter,
                    LOG, true);
        getCxfSslContextFactory().setExcludeCipherSuites(cs);

first parameter cipherSuites contains only my SSL_RSA_WITH_NULL_SHA, and second parameter is quite huge containing all I can imagine.
Problem is implementation, which takes this path:
cipherSuites = getCiphersFromList(cipherSuitesList, log, exclude);
and effectivelly returns SSL_RSA_WITH_NULL_SHA as excluded, instead of included. However nor cipherSuites field neither method are commented, hence it's hard to say if it was meant as exclude filter or as list to be forced to be used.


What I would be expecting somewhere in CXF code is call to org.eclipse.jetty.util.ssl.SslContextFactory.setIncludeCipherSuites. Probably just after getCxfSslContextFactory().setExcludeCipherSuites(cs);
As then SslContextFactory.selectCipherSuites(...) would use it.
Without _includeCipherSuites set, it only uses enabledCipherSuites which is as I explained not containing any cipher supported by client.

Thank you
Best regards
Jano