[Bug 59081] New: Cipher ordering not working

Fri, 26 Feb 2016 15:18:24 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=59081

            Bug ID: 59081
           Summary: Cipher ordering not working
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]

If I configure JSSE connector (NIO) with JSSE implementation, and explicit JSSE
ciphers list, my resulting list of enabled ciphers is ordered differently from
what I configured.

The reason for that seems to be in method SSLUtilBase.getEnabled which creates
list of enabled ciphers like this:

  enabled.addAll(implemented);
  enabled.retainAll(configured);

Resulting List contains intersection between configured and implemented
ciphers, but having the order of implemented ciphers, and that is not what the
user wants. I guess, it should keep the order of configured ciphers, like this:

  enabled.addAll(configured);
  enabled.retainAll(implemented);

Right?


The second issue with cipher ordering is that
OpenSSLCipherConfigurationParser.parse always returns:

  return defaultSort(ciphers);

I am not sure what's the intention here, because defaultSort method may change
user-defined cipher order.


My cipher configuration:

[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]

defaultSort(ciphers) changes order to:

[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]

And getEnabled changes order to:

[TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to