You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/03/13 19:46:38 UTC
[jira] [Commented] (CXF-6294) Cannot activate TLSv1.2 cipher suites
on client on Java7
[ https://issues.apache.org/jira/browse/CXF-6294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14360906#comment-14360906 ]
Colm O hEigeartaigh commented on CXF-6294:
------------------------------------------
Can I see how you are configuring TLS on the client side?
Colm.
> Cannot activate TLSv1.2 cipher suites on client on Java7
> --------------------------------------------------------
>
> Key: CXF-6294
> URL: https://issues.apache.org/jira/browse/CXF-6294
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 2.7.13, 2.7.14, 2.7.15
> Environment: JRE 1.7.0_76, CXF 2.7.13-2.7.15 (previous versions not checked)
> Reporter: SL
> Assignee: Colm O hEigeartaigh
>
> The Java7 JRE has a distinct behavior for client and server ssl sockets (see JSSE reference)
> On server socket TLSv1.1 and TLSv1.2 are enabled by default whereas on client socket both are disabled by default (but can be enabled with setEnabledProtocols()).
> This settings have been reverted for Java8.
> The problem with cxf lies in cxf-rt-transports-http.jar in org.apache.cxf.transport.http.SSLSocketFactoryWrapper.enableCipherSuites(...) :
> {code:java}
> private Socket enableCipherSuites(Socket s, Object[] logParams) {
> SSLSocket socket = (SSLSocket)s;
>
> if ((socket != null) && (ciphers != null)) {
> socket.setEnabledCipherSuites(ciphers);
> }
> if ((socket != null) && (protocol != null)) {
> String p[] = findProtocols(protocol, socket.getSupportedProtocols());
> if (p != null) {
> socket.setEnabledProtocols(p);
> }
> }
> if (socket == null) {
> LogUtils.log(LOG, Level.SEVERE,
> "PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET",
> logParams);
> }
> return socket;
> }
> {code}
> This code does not permit to enable the TLSv1.2 only ciphers suites on the client.
> It produces
> {noformat}
> Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite
> at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[na:1.7.0_76]
> at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[na:1.7.0_76]
> at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[na:1.7.0_76]
> at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
> {noformat}
> because when setEnabledCipherSuites() is called, TLSv1.2 is not (yet) enabled.
> IMHO setEnabledProtocols() should be called first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)