cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] Assigned: (CXF-2633) wrong cipher suites reported for webservice-server with https
Date Wed, 27 Jan 2010 16:50:34 GMT

     [ https://issues.apache.org/jira/browse/CXF-2633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Daniel Kulp reassigned CXF-2633:
--------------------------------

    Assignee: Daniel Kulp

> wrong cipher suites reported for webservice-server with https
> -------------------------------------------------------------
>
>                 Key: CXF-2633
>                 URL: https://issues.apache.org/jira/browse/CXF-2633
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>    Affects Versions: 2.2.5, 2.2.6
>         Environment: Debian Linux 2.6.26-2-686, java version "1.5.0_17"
>            Reporter: Michael Abmayer
>            Assignee: Daniel Kulp
>            Priority: Minor
>
> The ciphers suites which are reported to be set on a webservice-server seem to be those
which are disselected. Intended behavior would be to report the selected cipher suites.
> For a webservice-client everything seems ok.
> How to reproduce:
> In the wsdl_first_https-Sample-Application is the file /src/demo/hw_https/server/CherryServer.xml
> The ciphers are configured as follows:
>         <sec:include>.*_EXPORT_.*</sec:include>
>         <sec:include>.*_EXPORT1024_.*</sec:include>
>         <sec:include>.*_WITH_DES_.*</sec:include>
>         <sec:include>.*_WITH_NULL_.*</sec:include>
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
> if you call  {{mvn  -Pserver}}  this results in the following output:
> [INFO] INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5
> Although DH_anon-ciphers are excluded, they show up in the list.
> When I try to exclude some more Ciphersuites:
>         <sec:include>.*_EXPORT_.*</sec:include>
>         <sec:include>.*_EXPORT1024_.*</sec:include>
>         <sec:exclude>.*_WITH_DES_.*</sec:exclude>
>         <sec:exclude>.*_WITH_NULL_.*</sec:exclude>
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
> [INFO] INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_WITH_NULL_MD5,
SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5,
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
> The list gets longer!
> When I exclude all (although this makes not really sense):
>         <sec:exclude>.*_EXPORT_.*</sec:exclude>
>         <sec:exclude>.*_EXPORT1024_.*</sec:exclude>
>         <sec:exclude>.*_WITH_DES_.*</sec:exclude>
>         <sec:exclude>.*_WITH_NULL_.*</sec:exclude>
>         <sec:exclude>.*_DH_anon_.*</sec:exclude>
> [INFO] INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA,
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5,
TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
> [INFO] 2010-01-24 19:19:40.440::WARN:  EXCEPTION 
> [INFO] javax.net.ssl.SSLException: No available certificate or key corresponds to the
SSL cipher suites which are enabled.
> [INFO]  at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:303)
> [INFO]  at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
> [INFO]  at org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:172)
> [INFO]  at org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:707)
> [INFO]  at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
> The list is even longer! But now there is no suitable Cipher?!
> If you compare the first and the last cipherlist, the ciphers which are additional to
the last example are exactly those which should be instead reported in the first example.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message