You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2008/03/03 04:58:50 UTC
[jira] Commented: (CXF-1456) Investigate a more sensible set of
default cipher suites
[ https://issues.apache.org/jira/browse/CXF-1456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574343#action_12574343 ]
Daniel Kulp commented on CXF-1456:
----------------------------------
This is completely cause by the filter list in SSLUtils:
/**
* By default, only include export-compatible ciphersuites.
*/
private static final List<String> DEFAULT_CIPHERSUITE_FILTERS_INCLUDE =
Arrays.asList(new String[] {".*_EXPORT_.*",
".*_EXPORT1024_.*",
".*_WITH_DES_.*",
".*_WITH_NULL_.*"});
Does ANYONE know why this isn't just ".*"? We don't ship any implementation of the algorithms (since we don't ship bouncycastle). We just use whatever they have installed as their jsse provider. Thus, I don't see why that filter should be set that way. Thouhgts?
> Investigate a more sensible set of default cipher suites
> --------------------------------------------------------
>
> Key: CXF-1456
> URL: https://issues.apache.org/jira/browse/CXF-1456
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.0.4
> Environment: Ubuntu Linux 7.10, Sun JRE 1.5.0_13-b05, standard JCE jurisdiction policy ('unlimited' policy not installed)
> Reporter: Travis Gebhardt
> Priority: Minor
>
> I've been working on upgrading an older XFire client to CXF and hit some problems connecting to a HTTPS endpoint.
> The new CXF client kept failing with SSL handshake errors. After doing some research and comparisons to the working XFire client, I discovered that the handshake was failing because the cipher suite, SSL_RSA_WITH_3DES_EDE_CBC_SHA, was missing from the default cipher list in CXF. I had expected this to "just work" since my XFire client didn't do anything special with cipher suites. After adding SSL_RSA_WITH_3DES_EDE_CBC_SHA to the CXF client 's cipher suites list, the handshake worked fine.
> According to Donal, 3DES_EDE_CBC_SHA is a commonly used and strong cipher suite. Perhaps it makes sense to add this and other sensible cipher suites to the default cipher suite list? If there is a reason why it shouldn't be added then it would be helpful to add a note on the XFire to CXF upgrade document describing the differences in default cipher suites so that others won't face this same issue when upgrading clients.
> For the original post to cxf-users and Donal's reply which offers some guidelines for choosing sensible default cipher suites, please see this:
> http://www.nabble.com/upgrading-from-XFire---SSL-handshake-errors-td15725238.html
> Failed handshake logs:
> INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
> %% No cached client session
> *** ClientHello, SSLv3
> RandomCookie: GMT: 1187298740 bytes = { 113, 45, 193, 158, 214, 231, 11, 225, 197, 38, 3, 179, 175, 26, 25, 234, 108, 241, 155, 106, 191, 62, 221, 65, 209, 8, 182, 48 }
> Session ID: {}
> Cipher Suites: [SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
> Compression Methods: { 0 }
> ***
> WRITE: SSLv3 Handshake, length = 79
> WRITE: SSLv2 client hello message, length = 101
> READ: SSLv3 Alert, length = 2
> RECV TLSv1 ALERT: fatal, handshake_failure
> called closeSocket()
> handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
> Feb 27, 2008 2:49:08 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter.
> at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:136)
> at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:76)
> at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:57)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:208)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
> at $Proxy48.localAuthenticationQuery(Unknown Source) ...
> Caused by: javax.xml.stream.XMLStreamException
> at com.sun.xml.stream.writers.XMLStreamWriterImpl.writeStartElement(XMLStreamWriterImpl.java:1210)
> at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:95)
> ... 16 more
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.