You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/01/10 22:09:19 UTC
[Bug 54406] New: NIO and BIO connectors handle unsupported SSL
ciphers and sslEnabledProtocols differently
https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
Bug ID: 54406
Summary: NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Product: Tomcat 7
Version: trunk
Hardware: PC
OS: Mac OS X 10.4
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: timw@apache.org
Classification: Unclassified
The NIO and BIO connectors share (most of) a JSSE based SSLImplementation, but
differ in their handling of the ciphers and sslEnabledProtocols attributes.
The NIO connector sets the configured values for both attributes directly on
the SSLEngine, which will fail immediately if any of them are unsupported. This
makes creating a portable/superset collection of ciphers impossible - i.e. IBM
JDKs do not support many of the cipher suite names used by JSSE and vice versa
(usually TLS_ vs SSL_ prefixes differ) and the supported options differ between
Java 6/7 etc.
The BIO connector attempts to filter the specified values down to those
supported by the SSL implementation, but has issues as well: if none of the
specified ciphers/protocols are supported it will silently use the defaults of
the SSL implementation, which can lead to unexpectedly (and unwittingly)
insecure configurations.
I propose to:
- modify the NIO connector to use the same logic as the BIO connector to
filter requested ciphers/protocols to supported values (by placing these
operations on the SSLUtil interface).
- modify the ciphers/protocols filtering logic to treat an explicit list of
unsupported options as setting no supported ciphers/protocols and warn when
this is done (it will also fail visibly with errors if SSL connections are
attempted).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 54406] NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Posted by Tim Whittington <ti...@apache.org>.
On Tue, Jan 15, 2013 at 1:49 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> Tim,
>
> On 1/13/13 5:13 PM, Tim Whittington wrote:
>> On Mon, Jan 14, 2013 at 11:10 AM, <bu...@apache.org> wrote:
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
>>>
>>> --- Comment #2 from Tim Whittington <ti...@apache.org> ---
>>> Fixed in trunk and in 7.0.x and will be included in 7.0.36 onwards.
>>>
>>> The change involved a modification to the org.apache.tomcat.util.net.SSLUtil
>>> interface, which will require updates to custom SSLImplementations.
>>>
>>> --
>>> You are receiving this mail because:
>>> You are the assignee for the bug.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>
>> I'm not sure what the convention is for modifying interfaces like
>> org.apache.tomcat.util.net.SSLUtil/SSLImplementation in a released
>> branch.
>> If it's not the done thing to change these in 7.0.x, someone let me
>> know and I'll change the 7.0.x fix to avoid this.
>
> It might be a big deal. I just in case your commit slipped-through
> without review, you might want to post a new message to see if there are
> any objections.
>
> Since you have added methods to the interface, I'm afraid I might have
> to by -1 to this commit (specifically to the 7.0.x branch) because it
> means that Tomcat 7 is no longer binary-compatible and dependent code
> won't compile without modification (which is obviously frustrating).
I'll take that as a very polite -1 ;)
I'd come to the same conclusion myself, so I'll update the 7.0.x fix
to not break binary compatibility.
> What about a different fix for 7.0.x which uses a separate class to
> handle these two new methods? That would allow the fix with minimal
> modification but still maintain binary compatibility.
tim
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 54406] NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Tim,
On 1/13/13 5:13 PM, Tim Whittington wrote:
> On Mon, Jan 14, 2013 at 11:10 AM, <bu...@apache.org> wrote:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
>>
>> --- Comment #2 from Tim Whittington <ti...@apache.org> ---
>> Fixed in trunk and in 7.0.x and will be included in 7.0.36 onwards.
>>
>> The change involved a modification to the org.apache.tomcat.util.net.SSLUtil
>> interface, which will require updates to custom SSLImplementations.
>>
>> --
>> You are receiving this mail because:
>> You are the assignee for the bug.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> I'm not sure what the convention is for modifying interfaces like
> org.apache.tomcat.util.net.SSLUtil/SSLImplementation in a released
> branch.
> If it's not the done thing to change these in 7.0.x, someone let me
> know and I'll change the 7.0.x fix to avoid this.
It might be a big deal. I just in case your commit slipped-through
without review, you might want to post a new message to see if there are
any objections.
Since you have added methods to the interface, I'm afraid I might have
to by -1 to this commit (specifically to the 7.0.x branch) because it
means that Tomcat 7 is no longer binary-compatible and dependent code
won't compile without modification (which is obviously frustrating).
What about a different fix for 7.0.x which uses a separate class to
handle these two new methods? That would allow the fix with minimal
modification but still maintain binary compatibility.
-chris
Re: [Bug 54406] NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Posted by Tim Whittington <ti...@apache.org>.
On Mon, Jan 14, 2013 at 11:10 AM, <bu...@apache.org> wrote:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
>
> --- Comment #2 from Tim Whittington <ti...@apache.org> ---
> Fixed in trunk and in 7.0.x and will be included in 7.0.36 onwards.
>
> The change involved a modification to the org.apache.tomcat.util.net.SSLUtil
> interface, which will require updates to custom SSLImplementations.
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
I'm not sure what the convention is for modifying interfaces like
org.apache.tomcat.util.net.SSLUtil/SSLImplementation in a released
branch.
If it's not the done thing to change these in 7.0.x, someone let me
know and I'll change the 7.0.x fix to avoid this.
cheers
tim
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54406] NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
--- Comment #2 from Tim Whittington <ti...@apache.org> ---
Fixed in trunk and in 7.0.x and will be included in 7.0.36 onwards.
The change involved a modification to the org.apache.tomcat.util.net.SSLUtil
interface, which will require updates to custom SSLImplementations.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54406] NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
--- Comment #1 from Christopher Schultz <ch...@christopherschultz.net> ---
+1
There was a post to the users' list recently where a user attempted to
configure JSSE using OpenSSL-style cipher names. The result was evidently that
the Connector used the default list of ciphers. I assert that this is a
security problem.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54406] NIO and BIO connectors handle unsupported SSL ciphers
and sslEnabledProtocols differently
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54406
Tim Whittington <ti...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org