Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL::SSL::SSLContext#ciphers= "DEFAULT:!aNULL" fails #2193

Closed
jordansissel opened this issue Nov 13, 2014 · 3 comments · Fixed by jruby/jruby-openssl#136
Closed

OpenSSL::SSL::SSLContext#ciphers= "DEFAULT:!aNULL" fails #2193

jordansissel opened this issue Nov 13, 2014 · 3 comments · Fixed by jruby/jruby-openssl#136
Labels
Milestone

Comments

@jordansissel
Copy link
Contributor

@jordansissel jordansissel commented Nov 13, 2014

In trying to disable aNULL ciphers, I get an exception -

The code example below is a minimal reproduction of this problem.

% ruby -ropenssl -e 'ctx = OpenSSL::SSL::SSLContext.new; ctx.ciphers = "DEFAULT:!aNULL"'
OpenSSL::SSL::SSLError: no cipher match
  ciphers= at org/jruby/ext/openssl/SSLContext.java:391
    (root) at -e:1

The following examples do not raise exceptions:

  • ctx.ciphers = "DEFAULT"
  • ctx.ciphers = "aNULL"
  • ctx.ciphers = "ALL:!aNULL"

Interestingly, if I look at the ciphers for DEFAULT and for aNULL specifically, I see no overlap:

[12] pry(main)> default.sort
=> [["AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["DES-CBC-SHA", "TLSv1/SSLv3", 56, 56],
 ["DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["DHE-DSS-AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["DHE-DSS-AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["EDH-DSS-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56],
 ["EDH-RSA-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["EXP-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56],
 ["EXP-EDH-DSS-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56],
 ["EXP-EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56],
 ["EXP-RC4-MD5", "TLSv1/SSLv3", 40, 128],
 ["RC4-MD5", "TLSv1/SSLv3", 128, 128],
 ["RC4-SHA", "TLSv1/SSLv3", 128, 128]]
[13] pry(main)> null.sort
=> [["ADH-AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["ADH-AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["ADH-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56],
 ["ADH-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["ADH-RC4-MD5", "TLSv1/SSLv3", 128, 128],
 ["EXP-ADH-DES-CBC-SHA", "TLSv1/SSLv3", 40, 128],
 ["EXP-ADH-RC4-MD5", "TLSv1/SSLv3", 40, 128]]

All the aNULL ciphers use anonymous diffie-helman. None of the DEFAULT ones do.


As a workaround, I think I can generate my own list of ciphers using this kind of hack:


def ciphers(string)
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.ciphers = string
  ctx.ciphers
end

Then doing something like:

ctx.ciphers = ciphers("DEFAULT") - ciphers("aNULL") - ciphers("eNULL") ...

@jordansissel
Copy link
Contributor Author

@jordansissel jordansissel commented Nov 13, 2014

Environment details:

jruby 1.7.16 (1.9.3p392) 2014-09-25 575b395 on OpenJDK 64-Bit Server VM 1.7.0_65-b32 +jit [linux-amd64]
java version "1.7.0_65"
OpenJDK Runtime Environment (IcedTea 2.5.2) (7u65-2.5.2-3~14.04)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

@jordansissel
Copy link
Contributor Author

@jordansissel jordansissel commented Dec 9, 2014

Present in JRuby 1.7.17. I'm hoping to tackle this in the next few weeks, but no promises :)

kares pushed a commit to jruby/jruby-openssl that referenced this issue Jun 12, 2017
move "DEFAULT" special case handling further down and match OpenSSL behaviour
fixes jruby/jruby#2193
@kares kares added the openssl label Jun 12, 2017
@kares
Copy link
Member

@kares kares commented Jun 12, 2017

a fix from @MSNexploder is expected to be part of jruby-openssl >= 0.9.21

@kares kares added this to the Non-Release milestone Jun 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants