cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (CXF-1456) Investigate a more sensible set of default cipher suites
Date Mon, 03 Mar 2008 19:54:50 GMT

     [ https://issues.apache.org/jira/browse/CXF-1456?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daniel Kulp resolved CXF-1456.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.5

> Investigate a more sensible set of default cipher suites
> --------------------------------------------------------
>
>                 Key: CXF-1456
>                 URL: https://issues.apache.org/jira/browse/CXF-1456
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 2.0.4
>         Environment: Ubuntu Linux 7.10, Sun JRE 1.5.0_13-b05, standard JCE jurisdiction
policy ('unlimited' policy not installed)
>            Reporter: Travis Gebhardt
>            Assignee: Daniel Kulp
>            Priority: Minor
>             Fix For: 2.0.5
>
>
> I've been working on upgrading an older XFire client to CXF and hit some problems connecting
to a HTTPS endpoint.
> The new CXF client kept failing with SSL handshake errors. After doing some research
and comparisons to the working XFire client, I discovered that the handshake was failing because
the cipher suite, SSL_RSA_WITH_3DES_EDE_CBC_SHA, was missing from the default cipher list
in CXF. I had expected this to "just work" since my XFire client didn't do anything special
with cipher suites. After adding SSL_RSA_WITH_3DES_EDE_CBC_SHA to the CXF client 's cipher
suites list, the handshake worked fine.
> According to Donal, 3DES_EDE_CBC_SHA is a commonly used and strong cipher suite. Perhaps
it makes sense to add this and other sensible cipher suites to the default cipher suite list?
If there is a  reason why it shouldn't be added then it would be helpful to add a note on
the XFire to CXF upgrade document describing the differences in default cipher suites so that
others won't face this same issue when upgrading clients.
> For the original post to cxf-users and Donal's reply which offers some guidelines for
choosing sensible default cipher suites, please see this:
> http://www.nabble.com/upgrading-from-XFire---SSL-handshake-errors-td15725238.html
> Failed handshake logs:
> INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5,
SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
> %% No cached client session
> *** ClientHello, SSLv3
> RandomCookie:  GMT: 1187298740 bytes = { 113, 45, 193, 158, 214, 231, 11, 225, 197, 38,
3, 179, 175, 26, 25, 234, 108, 241, 155, 106, 191, 62, 221, 65, 209, 8, 182, 48 }
> Session ID:  {}
> Cipher Suites: [SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
> Compression Methods:  { 0 }
> ***
> WRITE: SSLv3 Handshake, length = 79
> WRITE: SSLv2 client hello message, length = 101
> READ: SSLv3 Alert, length = 2
> RECV TLSv1 ALERT:  fatal, handshake_failure
> called closeSocket()
> handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
> Feb 27, 2008 2:49:08 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept
> INFO: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter.
>         at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:136)
>         at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:76)
>         at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:57)
>         at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:208)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
>         at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
>         at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>         at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
>         at $Proxy48.localAuthenticationQuery(Unknown Source) ...
> Caused by: javax.xml.stream.XMLStreamException
>         at com.sun.xml.stream.writers.XMLStreamWriterImpl.writeStartElement(XMLStreamWriterImpl.java:1210)
>         at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:95)
>         ... 16 more

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message