You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Bc. Jiří Mikulášek" <ji...@aura.cz> on 2007/12/13 14:47:56 UTC
bug in sec:include / exclude ?
Hi,
I am using 2.0.2 and found strange behaviour:
example:
<sec:include>.*_WITH_RC4_.*</sec:include>
<sec:exclude>.*_RSA_WITH_NULL_SHA.*</sec:exclude>
gives message:
INFO: The cipher suites have been set to TLS_RSA_WITH_AES_128_CBC_SHA, .....
containing RSA_WITH_NULL_SHA
and
<sec:include>.*_RSA_WITH_NULL_SHA.*</sec:include>
<sec:exclude>.*_WITH_RC4_.*</sec:exclude>
gives the same but containing WITH_RC4 and not containing RSA_WITH_NULL_SHA
is the message bad or the algorithm is bad?
--
Jiri Mikulasek
---------------------------------
Developer
AURA, s.r.o.
Uvoz 499/56; 602 00 Brno
ISO 9001 certified company
AQAP 2110 (ČOS 051622)
tel./fax: +420 544 508 115
e-mail: mikulasek@aura.cz
http://www.aura.cz
---------------------------------
Re: bug in sec:include / exclude ?
Posted by "Bc. Jiří Mikulášek" <ji...@aura.cz>.
Hi,
finally I have had more time to examine the problem:
Note, in both cases described bellow the cipher suite loged on client site
contains only: SSL_RSA_WITH_NULL_SHA
Please let me know if there is some way how to force both server and client to
communicate with one specific cipher.
First configuration:
Server:
<sec:cipherSuitesFilter>
<sec:include>.*WITH_NULL_SHA.*</sec:include>
</sec:cipherSuitesFilter>
Client:
<sec:cipherSuitesFilter>
<sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
</sec:cipherSuitesFilter>
when trying to connect client to server i got in server log:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_DH_anon_WITH_RC4_128_MD5,
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2007-12-17 09:59:15.748::INFO: Started
CXFJettySslSocketConnector@0.0.0.0:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
at com.sun.net.ssl.internal.ssl.InputRecord.<init>(InputRecord.java:65)
at
com.sun.net.ssl.internal.ssl.HandshakeInStream.<init>(HandshakeInStream.java:45)
at
com.sun.net.ssl.internal.ssl.Handshaker.setEnabledProtocols(Handshaker.java:294)
at com.sun.net.ssl.internal.ssl.Handshaker.init(Handshaker.java:139)
at com.sun.net.ssl.internal.ssl.Handshaker.<init>(Handshaker.java:110)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.<init>(ServerHandshaker.java:86)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.initHandshaker(SSLSocketImpl.java:980)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.getServerHandshaker(SSLSocketImpl.java:928)
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:288)
at
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
at
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:169)
at
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:514)
at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Second: configuration:
Client same as before
Server:
<sec:cipherSuitesFilter>
<sec:exclude>.*WITH_NULL_SHA.*</sec:exclude>
</sec:cipherSuitesFilter>
I got the same exception and following CIPHER SUITE on server side:
INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5,
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA,
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
2007-12-17 10:11:46.635::INFO: Started
CXFJettySslSocketConnector@0.0.0.0:8090
Exception in thread "btpool1-0" java.lang.OutOfMemoryError: Java heap space
On Friday 14 of December 2007 14:13:54 Fred Dushin wrote:
> Interesting. I wonder if this is related to
>
> https://issues.apache.org/jira/browse/CXF-1222
>
> Could I ask you to check your CPU utilization, while your server
> comes up?
>
> On Dec 14, 2007, at 1:48 AM, Bc. Jiří Mikulášek wrote:
> > Hi all,
> > I wonder this problem when testiong how to force the hanshake to
> > one specific
> > algorithm.
> >
> > The interesting thing is that on client site all works perfectly as
> > expected.
> > On the server site something must be wrong, because I still didn't
> > catch the
> > goal.
> >
> > To be more specific:
> >
> > Client configuration:
> > <sec:cipherSuitesFilter>
> > <sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
> > </sec:cipherSuitesFilter>
> >
> > Server configuration below should work, but I get either connection
> > timeout or
> > outofmemory error.
> > <sec:cipherSuitesFilter>
> > <sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
> > </sec:cipherSuitesFilter>
> >
> > the same results
> > <sec:cipherSuitesFilter>
> > <sec:exclude>SSL_RSA_WITH_NULL_SHA</sec:exclude>
> > </sec:cipherSuitesFilter>
> >
> > On Friday 14 of December 2007 04:55:55 Fred Dushin wrote:
> >> That doesn't seem right. If the filters are not doing the right
> >> thing, then this is definitely a bug and should be filed.
> >>
> >> Are you sure that the configuration you are specifying is getting
> >> applied to the endpiont that's getting logged?
> >>
> >> I have not seen this behavior before, but I also don't know how well
> >> the feature is tested in the code.
> >>
> >> -Fred
> >>
> >> On Dec 13, 2007, at 8:47 AM, Bc. Jiří Mikulášek wrote:
> >>> Hi,
> >>> I am using 2.0.2 and found strange behaviour:
> >>>
> >>> example:
> >>>
> >>> <sec:include>.*_WITH_RC4_.*</sec:include>
> >>> <sec:exclude>.*_RSA_WITH_NULL_SHA.*</sec:exclude>
> >>>
> >>> gives message:
> >>> INFO: The cipher suites have been set to
> >>> TLS_RSA_WITH_AES_128_CBC_SHA, .....
> >>> containing RSA_WITH_NULL_SHA
> >>>
> >>> and
> >>> <sec:include>.*_RSA_WITH_NULL_SHA.*</sec:include>
> >>> <sec:exclude>.*_WITH_RC4_.*</sec:exclude>
> >>>
> >>> gives the same but containing WITH_RC4 and not containing
> >>> RSA_WITH_NULL_SHA
> >>>
> >>> is the message bad or the algorithm is bad?
> >>> --
> >>> Jiri Mikulasek
> >>> ---------------------------------
> >>> Developer
> >>>
> >>> AURA, s.r.o.
> >>> Uvoz 499/56; 602 00 Brno
> >>> ISO 9001 certified company
> >>> AQAP 2110 (ČOS 051622)
> >>> tel./fax: +420 544 508 115
> >>> e-mail: mikulasek@aura.cz
> >>> http://www.aura.cz
> >>> ---------------------------------
> >
> > --
> > Jiri Mikulasek
> > ---------------------------------
> > Developer
> >
> > AURA, s.r.o.
> > Uvoz 499/56; 602 00 Brno
> > ISO 9001 certified company
> > AQAP 2110 (ČOS 051622)
> > tel./fax: +420 544 508 115
> > e-mail: mikulasek@aura.cz
> > http://www.aura.cz
> > ---------------------------------
--
Jiri Mikulasek
---------------------------------
Developer
AURA, s.r.o.
Uvoz 499/56; 602 00 Brno
ISO 9001 certified company
AQAP 2110 (ČOS 051622)
tel./fax: +420 544 508 115
e-mail: mikulasek@aura.cz
http://www.aura.cz
---------------------------------
Re: bug in sec:include / exclude ?
Posted by Fred Dushin <fr...@dushin.net>.
Interesting. I wonder if this is related to
https://issues.apache.org/jira/browse/CXF-1222
Could I ask you to check your CPU utilization, while your server
comes up?
On Dec 14, 2007, at 1:48 AM, Bc. Jiří Mikulášek wrote:
> Hi all,
> I wonder this problem when testiong how to force the hanshake to
> one specific
> algorithm.
>
> The interesting thing is that on client site all works perfectly as
> expected.
> On the server site something must be wrong, because I still didn't
> catch the
> goal.
>
> To be more specific:
>
> Client configuration:
> <sec:cipherSuitesFilter>
> <sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
> </sec:cipherSuitesFilter>
>
> Server configuration below should work, but I get either connection
> timeout or
> outofmemory error.
> <sec:cipherSuitesFilter>
> <sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
> </sec:cipherSuitesFilter>
>
> the same results
> <sec:cipherSuitesFilter>
> <sec:exclude>SSL_RSA_WITH_NULL_SHA</sec:exclude>
> </sec:cipherSuitesFilter>
>
> On Friday 14 of December 2007 04:55:55 Fred Dushin wrote:
>> That doesn't seem right. If the filters are not doing the right
>> thing, then this is definitely a bug and should be filed.
>>
>> Are you sure that the configuration you are specifying is getting
>> applied to the endpiont that's getting logged?
>>
>> I have not seen this behavior before, but I also don't know how well
>> the feature is tested in the code.
>>
>> -Fred
>>
>> On Dec 13, 2007, at 8:47 AM, Bc. Jiří Mikulášek wrote:
>>> Hi,
>>> I am using 2.0.2 and found strange behaviour:
>>>
>>> example:
>>>
>>> <sec:include>.*_WITH_RC4_.*</sec:include>
>>> <sec:exclude>.*_RSA_WITH_NULL_SHA.*</sec:exclude>
>>>
>>> gives message:
>>> INFO: The cipher suites have been set to
>>> TLS_RSA_WITH_AES_128_CBC_SHA, .....
>>> containing RSA_WITH_NULL_SHA
>>>
>>> and
>>> <sec:include>.*_RSA_WITH_NULL_SHA.*</sec:include>
>>> <sec:exclude>.*_WITH_RC4_.*</sec:exclude>
>>>
>>> gives the same but containing WITH_RC4 and not containing
>>> RSA_WITH_NULL_SHA
>>>
>>> is the message bad or the algorithm is bad?
>>> --
>>> Jiri Mikulasek
>>> ---------------------------------
>>> Developer
>>>
>>> AURA, s.r.o.
>>> Uvoz 499/56; 602 00 Brno
>>> ISO 9001 certified company
>>> AQAP 2110 (ČOS 051622)
>>> tel./fax: +420 544 508 115
>>> e-mail: mikulasek@aura.cz
>>> http://www.aura.cz
>>> ---------------------------------
>
>
>
> --
> Jiri Mikulasek
> ---------------------------------
> Developer
>
> AURA, s.r.o.
> Uvoz 499/56; 602 00 Brno
> ISO 9001 certified company
> AQAP 2110 (ČOS 051622)
> tel./fax: +420 544 508 115
> e-mail: mikulasek@aura.cz
> http://www.aura.cz
> ---------------------------------
>
Re: bug in sec:include / exclude ?
Posted by "Bc. Jiří Mikulášek" <ji...@aura.cz>.
Hi all,
I wonder this problem when testiong how to force the hanshake to one specific
algorithm.
The interesting thing is that on client site all works perfectly as expected.
On the server site something must be wrong, because I still didn't catch the
goal.
To be more specific:
Client configuration:
<sec:cipherSuitesFilter>
<sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
</sec:cipherSuitesFilter>
Server configuration below should work, but I get either connection timeout or
outofmemory error.
<sec:cipherSuitesFilter>
<sec:include>SSL_RSA_WITH_NULL_SHA</sec:include>
</sec:cipherSuitesFilter>
the same results
<sec:cipherSuitesFilter>
<sec:exclude>SSL_RSA_WITH_NULL_SHA</sec:exclude>
</sec:cipherSuitesFilter>
On Friday 14 of December 2007 04:55:55 Fred Dushin wrote:
> That doesn't seem right. If the filters are not doing the right
> thing, then this is definitely a bug and should be filed.
>
> Are you sure that the configuration you are specifying is getting
> applied to the endpiont that's getting logged?
>
> I have not seen this behavior before, but I also don't know how well
> the feature is tested in the code.
>
> -Fred
>
> On Dec 13, 2007, at 8:47 AM, Bc. Jiří Mikulášek wrote:
> > Hi,
> > I am using 2.0.2 and found strange behaviour:
> >
> > example:
> >
> > <sec:include>.*_WITH_RC4_.*</sec:include>
> > <sec:exclude>.*_RSA_WITH_NULL_SHA.*</sec:exclude>
> >
> > gives message:
> > INFO: The cipher suites have been set to
> > TLS_RSA_WITH_AES_128_CBC_SHA, .....
> > containing RSA_WITH_NULL_SHA
> >
> > and
> > <sec:include>.*_RSA_WITH_NULL_SHA.*</sec:include>
> > <sec:exclude>.*_WITH_RC4_.*</sec:exclude>
> >
> > gives the same but containing WITH_RC4 and not containing
> > RSA_WITH_NULL_SHA
> >
> > is the message bad or the algorithm is bad?
> > --
> > Jiri Mikulasek
> > ---------------------------------
> > Developer
> >
> > AURA, s.r.o.
> > Uvoz 499/56; 602 00 Brno
> > ISO 9001 certified company
> > AQAP 2110 (ČOS 051622)
> > tel./fax: +420 544 508 115
> > e-mail: mikulasek@aura.cz
> > http://www.aura.cz
> > ---------------------------------
--
Jiri Mikulasek
---------------------------------
Developer
AURA, s.r.o.
Uvoz 499/56; 602 00 Brno
ISO 9001 certified company
AQAP 2110 (ČOS 051622)
tel./fax: +420 544 508 115
e-mail: mikulasek@aura.cz
http://www.aura.cz
---------------------------------
Re: bug in sec:include / exclude ?
Posted by Fred Dushin <fr...@dushin.net>.
That doesn't seem right. If the filters are not doing the right
thing, then this is definitely a bug and should be filed.
Are you sure that the configuration you are specifying is getting
applied to the endpiont that's getting logged?
I have not seen this behavior before, but I also don't know how well
the feature is tested in the code.
-Fred
On Dec 13, 2007, at 8:47 AM, Bc. Jiří Mikulášek wrote:
> Hi,
> I am using 2.0.2 and found strange behaviour:
>
> example:
>
> <sec:include>.*_WITH_RC4_.*</sec:include>
> <sec:exclude>.*_RSA_WITH_NULL_SHA.*</sec:exclude>
>
> gives message:
> INFO: The cipher suites have been set to
> TLS_RSA_WITH_AES_128_CBC_SHA, .....
> containing RSA_WITH_NULL_SHA
>
> and
> <sec:include>.*_RSA_WITH_NULL_SHA.*</sec:include>
> <sec:exclude>.*_WITH_RC4_.*</sec:exclude>
>
> gives the same but containing WITH_RC4 and not containing
> RSA_WITH_NULL_SHA
>
> is the message bad or the algorithm is bad?
> --
> Jiri Mikulasek
> ---------------------------------
> Developer
>
> AURA, s.r.o.
> Uvoz 499/56; 602 00 Brno
> ISO 9001 certified company
> AQAP 2110 (ČOS 051622)
> tel./fax: +420 544 508 115
> e-mail: mikulasek@aura.cz
> http://www.aura.cz
> ---------------------------------
>