You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/02/27 00:18:04 UTC
[Bug 59081] New: Cipher ordering not working
https://bz.apache.org/bugzilla/show_bug.cgi?id=59081
Bug ID: 59081
Summary: Cipher ordering not working
Product: Tomcat 9
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: ognjen.d.blagojevic@gmail.com
If I configure JSSE connector (NIO) with JSSE implementation, and explicit JSSE
ciphers list, my resulting list of enabled ciphers is ordered differently from
what I configured.
The reason for that seems to be in method SSLUtilBase.getEnabled which creates
list of enabled ciphers like this:
enabled.addAll(implemented);
enabled.retainAll(configured);
Resulting List contains intersection between configured and implemented
ciphers, but having the order of implemented ciphers, and that is not what the
user wants. I guess, it should keep the order of configured ciphers, like this:
enabled.addAll(configured);
enabled.retainAll(implemented);
Right?
The second issue with cipher ordering is that
OpenSSLCipherConfigurationParser.parse always returns:
return defaultSort(ciphers);
I am not sure what's the intention here, because defaultSort method may change
user-defined cipher order.
My cipher configuration:
[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]
defaultSort(ciphers) changes order to:
[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]
And getEnabled changes order to:
[TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59081] Cipher ordering not working
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59081
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Good catch.
I've fixed both those issues for 9.0.x (9.0.0.M4 onwards). 8.0.x is only
affected by the defaultSort() issue. that has been fixed for 8.0.33 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59081] Cipher ordering not working
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59081
Ognjen Blagojevic <og...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org