https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
Bug ID: 67628
Summary: OpenSSLCipherConfigurationParser#parse() produces
misleading false positive cipher warnings
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: micha...@apache.org
Target Milestone: ----
This likely happens in all maintained versions I have just observed this in
8.5.94-dev. This one tooks me some hours to understand and analyze, after
7129db33aa2797b8da17a9aeffeedfafdc725e7a I see false positive warnings which
are almost impossible to analyze for many users.
I am running off Java 8 and OpenSSL 1.1.1t (HP-UX), 1.1.1w-freebsd/3.0.11
(FreeBSD).
Consider the following config in server.xml:
> <SSLHostConfig hostName="..." protocols="TLSv1.2+TLSv1.3"
> honorCipherOrder="true" disableSessionTickets="true"
>
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384">
> <Certificate certificateFile="..." certificateKeyFile="..."
> certificateKeyPassword="..." type="RSA" />
> </SSLHostConfig>
Suddenly I see the following warning:
> 2023-10-05T21:36:05.274 WARNUNG [main]
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Some of the specified
> [ciphers] are not supported by the SSL engine and have been skipped:
> [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_AES_128_CCM_SHA256, TLS_DH_DSS_WITH_AES_128_GCM_SHA256,
> TLS_DH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
I have started diffing my config back and forth, but wasn't able to spot the
issue comparing my cipher expression compared to ALL. Added the following diff
to better understand the issue:
> diff --git a/java/org/apache/tomcat/util/net/SSLUtilBase.java
> b/java/org/apache/tomcat/util/net/SSLUtilBase.java
> index d300737f69..7f62a18ca7 100644
> --- a/java/org/apache/tomcat/util/net/SSLUtilBase.java
> +++ b/java/org/apache/tomcat/util/net/SSLUtilBase.java
> @@ -175,0 +176,1 @@ public abstract class SSLUtilBase implements SSLUtil {
> + log.info("[" + name + "] with configured: " + configured + ",
> implemented: " + implemented + ", enabled: " + enabled);
Still doesn't work out for me. Looking at SslUtilBase:
> List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
> Set<String> implementedCiphers = getImplementedCiphers();
Returns false data! While #getImplementedCiphers() truly returns the
implemented ciphers by the underlying OpenSSL version,
sslHostConfig.getJsseCipherNames() does NOT invoke OpenSSL at all. It invokes
"OpenSSLCipherConfigurationParser.parse(getCiphers());" which gives me:
> TLS_AES_128_CCM_SHA256
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_AES_128_CCM
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_CCM
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_DH_DSS_WITH_AES_128_GCM_SHA256
> TLS_DH_DSS_WITH_AES_256_GCM_SHA384
> TLS_DH_RSA_WITH_AES_128_GCM_SHA256
> TLS_DH_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_AES_128_CCM
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CCM
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_RSA_WITH_ARIA_256_GCM_SHA384
The parsing and IANA mapping is done by Tomcat, NOT OpenSSL. Now let's invoke
OpenSSL:
> # openssl version
> OpenSSL 1.1.1t 7 Feb 2023
> # openssl ciphers -stdname
> 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384'
> | cut -d ' ' -f 1 | sort
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_AES_128_CCM
> TLS_DHE_RSA_WITH_AES_128_CCM_8
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_CCM
> TLS_DHE_RSA_WITH_AES_256_CCM_8
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_RSA_WITH_AES_128_CCM
> TLS_RSA_WITH_AES_128_CCM_8
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CCM
> TLS_RSA_WITH_AES_256_CCM_8
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_RSA_WITH_ARIA_256_GCM_SHA384
> $ openssl version
> OpenSSL 1.1.1w-freebsd 11 Sep 2023
> $ openssl ciphers -stdname
> 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384'
> | cut -d ' ' -f 1 | sort
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_AES_128_CCM
> TLS_DHE_RSA_WITH_AES_128_CCM_8
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_CCM
> TLS_DHE_RSA_WITH_AES_256_CCM_8
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_RSA_WITH_AES_128_CCM
> TLS_RSA_WITH_AES_128_CCM_8
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CCM
> TLS_RSA_WITH_AES_256_CCM_8
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_RSA_WITH_ARIA_256_GCM_SHA384
> $ openssl version
> OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
> $ openssl ciphers -stdname
> 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384'
> | cut -d ' ' -f 1 | sort
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_AES_128_CCM
> TLS_DHE_RSA_WITH_AES_128_CCM_8
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_CCM
> TLS_DHE_RSA_WITH_AES_256_CCM_8
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_RSA_WITH_AES_128_CCM
> TLS_RSA_WITH_AES_128_CCM_8
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CCM
> TLS_RSA_WITH_AES_256_CCM_8
> TLS_RSA_WITH_AES_256_GCM_SHA384
On Windows, compiled according to our instruction and patches:
> PS> .\openssl version
> OpenSSL 1.1.1w 11 Sep 2023
> PS> .\openssl ciphers -stdname
> 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384'
> | foreach-object { $_.split(" ")[0]} | sort-object
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_AES_128_CCM
> TLS_DHE_RSA_WITH_AES_128_CCM_8
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_CCM
> TLS_DHE_RSA_WITH_AES_256_CCM_8
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_RSA_WITH_AES_128_CCM
> TLS_RSA_WITH_AES_128_CCM_8
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CCM
> TLS_RSA_WITH_AES_256_CCM_8
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_RSA_WITH_ARIA_256_GCM_SHA384
> PS> .\openssl version
> OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
> PS> .\openssl ciphers -stdname
> 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384'
> | foreach-object { $_.split(" ")[0]} | sort-object
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> TLS_DHE_RSA_WITH_AES_128_CCM
> TLS_DHE_RSA_WITH_AES_128_CCM_8
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_CCM
> TLS_DHE_RSA_WITH_AES_256_CCM_8
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> TLS_RSA_WITH_AES_128_CCM
> TLS_RSA_WITH_AES_128_CCM_8
> TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_AES_256_CCM
> TLS_RSA_WITH_AES_256_CCM_8
> TLS_RSA_WITH_AES_256_GCM_SHA384
> TLS_RSA_WITH_ARIA_128_GCM_SHA256
> TLS_RSA_WITH_ARIA_256_GCM_SHA384
OpenSSL gives us less ciphers than the Tomcat parser. So whetever I have
requested from OpenSSL and verified on the command line is not what is passed
to OpenSSL. This is confusing and not documented (?). Especially because I have
excluded DSS explicitly, but it is back with a warning.
----------
Ideally
(a) either the data is retrieved live from OpenSSL,
(b) or documentation and log message somehow depict that this might not always
be correct.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
