You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/03/13 19:46:38 UTC

[jira] [Commented] (CXF-6294) Cannot activate TLSv1.2 cipher suites on client on Java7

    [ https://issues.apache.org/jira/browse/CXF-6294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14360906#comment-14360906 ] 

Colm O hEigeartaigh commented on CXF-6294:
------------------------------------------


Can I see how you are configuring TLS on the client side?

Colm.

> Cannot activate TLSv1.2 cipher suites on client on Java7
> --------------------------------------------------------
>
>                 Key: CXF-6294
>                 URL: https://issues.apache.org/jira/browse/CXF-6294
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.7.13, 2.7.14, 2.7.15
>         Environment: JRE 1.7.0_76, CXF 2.7.13-2.7.15 (previous versions not checked)
>            Reporter: SL
>            Assignee: Colm O hEigeartaigh
>
> The Java7 JRE has a distinct behavior for client and server ssl sockets (see JSSE reference)
> On server socket TLSv1.1 and TLSv1.2 are enabled by default whereas on client socket both are disabled by default (but can be enabled with setEnabledProtocols()).
> This settings have been reverted for Java8.
> The problem with cxf lies in cxf-rt-transports-http.jar in org.apache.cxf.transport.http.SSLSocketFactoryWrapper.enableCipherSuites(...) :
> {code:java}
>     private Socket enableCipherSuites(Socket s, Object[] logParams) {
>         SSLSocket socket = (SSLSocket)s;
>         
>         if ((socket != null) && (ciphers != null)) {
>             socket.setEnabledCipherSuites(ciphers);
>         }
>         if ((socket != null) && (protocol != null)) {
>             String p[] = findProtocols(protocol, socket.getSupportedProtocols());
>             if (p != null) {
>                 socket.setEnabledProtocols(p);
>             }
>         }
>         if (socket == null) {
>             LogUtils.log(LOG, Level.SEVERE,
>                          "PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET", 
>                          logParams);
>         }
>         return socket;        
>     }
> {code}
> This code does not permit to enable the TLSv1.2 only ciphers suites on the client.
> It produces
> {noformat}
> Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite 
> 	at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[na:1.7.0_76]
> 	at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[na:1.7.0_76]
> 	at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[na:1.7.0_76]
> 	at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
> {noformat}
> because when setEnabledCipherSuites() is called, TLSv1.2 is not (yet) enabled.
> IMHO setEnabledProtocols() should be called first.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)