Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL cipher list mismatch #1768

Closed
aetherknight opened this Issue Jun 27, 2014 · 9 comments

Comments

Projects
None yet
4 participants
@aetherknight
Copy link

aetherknight commented Jun 27, 2014

Whatever version of jopenssl that is bundled with Jruby 1.7.13:

Observed behavior:

require 'openssl'
con = OpenSSL::SSL::SSLContext.new
con.ciphers = "EECDH+aRSA+AESGCM"
p con.ciphers.map { |c| c[0] }.join(' ')
# => "AES256-SHA DHE-RSA-AES256-SHA AES128-SHA DHE-RSA-AES128-SHA RC4-SHA DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA RC4-MD5 NULL-SHA NULL-MD5 DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA"

Expected behavior:

Either the actual ciphers that match the cipher spec or an error indicating that the cipher spec failed to match any ciphers (since JRuby's openssl doesn't support ECDHE or AES_GCM ciphers yet.

Recent version of OpenSSL output:

$ openssl version
OpenSSL 1.0.1h 5 Jun 2014
$ openssl ciphers 'EECDH+aRSA+AESGCM'
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256

Expected sort of error if ciphers are not yet implemented:

OpenSSL::SSL::SSLContext.new.ciphers = "EECDH"
# => OpenSSL::SSL::SSLError: no cipher match
    from org/jruby/ext/openssl/SSLContext.java:391:in `ciphers='
    from (irb):24:in `evaluate'
    from org/jruby/RubyKernel.java:1101:in `eval'
    from org/jruby/RubyKernel.java:1501:in `loop'
    from org/jruby/RubyKernel.java:1264:in `catch'
    from org/jruby/RubyKernel.java:1264:in `catch'
    from /Users/bjorvis/.rbenv/versions/jruby-1.7.13/bin/jirb:13:in `(root)'
@mkristian

This comment has been minimized.

Copy link
Member

mkristian commented Jun 27, 2014

if I compare MRI and JRuby then JRuby does not support following (probably
depending on versions used)

AES128-GCM-SHA256
AES128-SHA256
AES256-GCM-SHA384
AES256-SHA256
CAMELLIA128-SHA
CAMELLIA256-SHA
DHE-DSS-AES128-GCM-SHA256
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-DSS-AES256-SHA256
DHE-DSS-CAMELLIA128-SHA
DHE-DSS-CAMELLIA256-SHA
DHE-DSS-SEED-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-CAMELLIA256-SHA
DHE-RSA-SEED-SHA
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-SHA
ECDH-ECDSA-AES128-SHA256
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-SHA
ECDH-ECDSA-AES256-SHA384
ECDH-ECDSA-DES-CBC3-SHA
ECDH-ECDSA-RC4-SHA
ECDH-RSA-AES128-GCM-SHA256
ECDH-RSA-AES128-SHA
ECDH-RSA-AES128-SHA256
ECDH-RSA-AES256-GCM-SHA384
ECDH-RSA-AES256-SHA
ECDH-RSA-AES256-SHA384
ECDH-RSA-DES-CBC3-SHA
ECDH-RSA-RC4-SHA
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-DES-CBC3-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-DES-CBC3-SHA
ECDHE-RSA-RC4-SHA
EDH-DSS-DES-CBC-SHA
EXP-RC2-CBC-MD5
PSK-3DES-EDE-CBC-SHA
PSK-AES128-CBC-SHA
PSK-AES256-CBC-SHA
PSK-RC4-SHA
SEED-SHA
SRP-DSS-3DES-EDE-CBC-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-3DES-EDE-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-RSA-AES-256-CBC-SHA

@mkristian mkristian added the openssl label Jun 27, 2014

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Jun 30, 2014

@mkristian Yeah, JRuby only supports a subset of the ciphers supported by Java. Recent Javas supports many of the elliptic-curve-based ciphers, but not JRuby. However, this issue is specifically about JRuby misinterpreting the OpenSSL cipher string and including all RSA ciphers, instead of only those ciphers that match "EECDH+aRSA+AESGCM" or throwing an error because the cipher spec does not match anything.

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Jun 30, 2014

This is a major issue for me because I am trying to build a single cipher spec string that works in both MRI and in JRuby that contains strong forward secrecy ciphers, but that will still pull in a few non-forward-secrecy ciphers for JRuby (due to the lack of EECDH/ECDHE ciphers exposed in JRuby). However, the "EECDH+aRSA+AESGCM" component pulls in all "aRSA" supported by JRuby instead of matching no ciphers.

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Jun 30, 2014

I opened other issues for the unsupported ciphers (at least, based on the ones that Java 7 and 8 add that are "enabled" by default when using Java's default cipher list):

#1774
#1775

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Jun 30, 2014

Ack, #1775 is a duplicate of an earlier bug I filed: #1738

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Jul 2, 2014

A better example is the cipher string asdf+aRSA:

MRI (expected behavior):

$ ruby --version
ruby 2.0.0p451 (2014-02-24 revision 45167) [x86_64-darwin12.5.0]

$ openssl version
OpenSSL 1.0.1h 5 Jun 2014

$ ruby -ropenssl -e "con = OpenSSL::SSL::SSLContext.new ; con.ciphers = 'asdf+aRSA' ; p con.ciphers "
-e:1:in `ciphers=': SSL_CTX_set_cipher_list: no cipher match (OpenSSL::SSL::SSLError)
    from -e:1:in `<main>'

OpenSSL itself:

$ openssl ciphers asdf+aRSA
Error in cipher list
140735265477472:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314:

JRuby behaves as if I only passed it "aRSA":

$ jruby --version
jruby 1.7.13 (1.9.3p392) 2014-06-24 43f133c on Java HotSpot(TM) 64-Bit Server VM 1.7.0_55-b13 [darwin-x86_64]

$ jruby -ropenssl -e "con = OpenSSL::SSL::SSLContext.new ; con.ciphers = 'asdf+aRSA' ; p con.ciphers "
[["AES256-SHA", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["AES128-SHA", "TLSv1/SSLv3", 128, 128], ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["RC4-SHA", "TLSv1/SSLv3", 128, 128], ["DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168], ["EDH-RSA-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168], ["RC4-MD5", "TLSv1/SSLv3", 128, 128], ["NULL-SHA", "TLSv1/SSLv3", 0, 0], ["NULL-MD5", "TLSv1/SSLv3", 0, 0], ["DES-CBC-SHA", "TLSv1/SSLv3", 56, 56], ["EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56], ["EXP-RC4-MD5", "TLSv1/SSLv3", 40, 128], ["EXP-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56], ["EXP-EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56]]

@headius headius closed this in 17c67a6 Dec 2, 2014

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Dec 4, 2014

hey @headius how does your commit resolve #1768? Was there some underlying issue with instance_eval that caused this problem in jruby-openssl ?

@aetherknight

This comment has been minimized.

Copy link
Author

aetherknight commented Dec 11, 2014

@enebo @headius This issue was not fixed in JRuby 1.7.17. Please re-open it.

$ jruby --version
jruby 1.7.17 (1.9.3p392) 2014-12-09 fafd1a7 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_55-b13 +jit [darwin-x86_64]

$ jruby -ropenssl -e "con = OpenSSL::SSL::SSLContext.new ; con.ciphers = 'asdf+aRSA' ; p con.ciphers "
[["AES256-SHA", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["AES128-SHA", "TLSv1/SSLv3", 128, 128], ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["RC4-SHA", "TLSv1/SSLv3", 128, 128], ["DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168], ["EDH-RSA-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168], ["RC4-MD5", "TLSv1/SSLv3", 128, 128], ["NULL-SHA", "TLSv1/SSLv3", 0, 0], ["NULL-MD5", "TLSv1/SSLv3", 0, 0], ["DES-CBC-SHA", "TLSv1/SSLv3", 56, 56], ["EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56], ["EXP-RC4-MD5", "TLSv1/SSLv3", 40, 128], ["EXP-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56], ["EXP-EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56]]
@kares

This comment has been minimized.

Copy link
Member

kares commented Dec 12, 2014

yes, this needs work on the JRuby-OpenSSL side, feel free to reopen at https://github.com/jruby/jruby-openssl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.