-
-
Notifications
You must be signed in to change notification settings - Fork 15.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JdkSslContext produces invalid supported ciphers #7673
Comments
@slandelle are you sure this was introduced in 4.1.20 ? |
@normanmaurer This renaming was introduced in 449befa which is tagged as 4.1.20. |
My bad, I didn't get what those tags meant in the GH interface. I guess it's from 4.1.13. |
I guess this went unnoticed as |
Motivation: JdkSslContext builds the list of supported cipher suites, but assumes that ciphers prefixed with SSL_ and TLS_ will be interchangeable. However this is not the case and only applies to a small subset of ciphers. This results in the JdkSslContext attempting to use unsupported ciphers. Modifications: - When building the list of ciphers in JdkSslContext we should first check if the engine supports the TLS_ prefix cipher. Result: Fixes netty#7673
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites
Arg. I guess the names aren't quite interchangeable. See #7677 |
Motivation: JdkSslContext builds the list of supported cipher suites, but assumes that ciphers prefixed with SSL_ and TLS_ will be interchangeable. However this is not the case and only applies to a small subset of ciphers. This results in the JdkSslContext attempting to use unsupported ciphers. Modifications: - When building the list of ciphers in JdkSslContext we should first check if the engine supports the TLS_ prefix cipher. Result: Fixes #7673
Motivation: JdkSslContext builds the list of supported cipher suites, but assumes that ciphers prefixed with SSL_ and TLS_ will be interchangeable. However this is not the case and only applies to a small subset of ciphers. This results in the JdkSslContext attempting to use unsupported ciphers. Modifications: - When building the list of ciphers in JdkSslContext we should first check if the engine supports the TLS_ prefix cipher. Result: Fixes #7673
Motivation: JdkSslContext builds the list of supported cipher suites, but assumes that ciphers prefixed with SSL_ and TLS_ will be interchangeable. However this is not the case and only applies to a small subset of ciphers. This results in the JdkSslContext attempting to use unsupported ciphers. Modifications: - When building the list of ciphers in JdkSslContext we should first check if the engine supports the TLS_ prefix cipher. Result: Fixes netty#7673
Motivation: JdkSslContext builds the list of supported cipher suites, but assumes that ciphers prefixed with SSL_ and TLS_ will be interchangeable. However this is not the case and only applies to a small subset of ciphers. This results in the JdkSslContext attempting to use unsupported ciphers. Modifications: - When building the list of ciphers in JdkSslContext we should first check if the engine supports the TLS_ prefix cipher. Result: Fixes netty#7673
Expected behavior
JdkSslContext should produce valid ciphers that are actually supported by the platform.
Typically, it should be possible to use them in a custom
CipherSuiteFilter
to configure aSSLEngine
.Actual behavior
Netty 4.1.13.Final introduced a workaround for IBM certs naming scheme.
This workaround is based on IBM's statement:
This statement is wrong and transformed names cause
SSLEngine#setEnabledCipherSuites
to crash.On my machine, the following ciphers get transformed with the
SSL
prefix being replaced withTLS
and cause SSLEngine to crash:Steps to reproduce
See reproducer below.
Minimal yet complete reproducer code (or URL to code)
Netty version
Tested on 4.1.20.Final
JVM version (e.g.
java -version
)Java HotSpot(TM) 64-Bit Server VM (build 25.152-b16, mixed mode)
OS version (e.g.
uname -a
)Not relevant
The text was updated successfully, but these errors were encountered: