Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL::SSL::SSLContext#ciphers= "DEFAULT:!aNULL" fails #2193

Closed
jordansissel opened this issue Nov 13, 2014 · 3 comments · Fixed by jruby/jruby-openssl#136
Closed

OpenSSL::SSL::SSLContext#ciphers= "DEFAULT:!aNULL" fails #2193

jordansissel opened this issue Nov 13, 2014 · 3 comments · Fixed by jruby/jruby-openssl#136
Labels
openssl
Milestone
Non-Release

Comments

@jordansissel
Copy link
Contributor

In trying to disable aNULL ciphers, I get an exception -

The code example below is a minimal reproduction of this problem.

% ruby -ropenssl -e 'ctx = OpenSSL::SSL::SSLContext.new; ctx.ciphers = "DEFAULT:!aNULL"'
OpenSSL::SSL::SSLError: no cipher match
  ciphers= at org/jruby/ext/openssl/SSLContext.java:391
    (root) at -e:1

The following examples do not raise exceptions:

  • ctx.ciphers = "DEFAULT"
  • ctx.ciphers = "aNULL"
  • ctx.ciphers = "ALL:!aNULL"

Interestingly, if I look at the ciphers for DEFAULT and for aNULL specifically, I see no overlap:

[12] pry(main)> default.sort
=> [["AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["DES-CBC-SHA", "TLSv1/SSLv3", 56, 56],
 ["DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["DHE-DSS-AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["DHE-DSS-AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["EDH-DSS-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56],
 ["EDH-RSA-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["EXP-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56],
 ["EXP-EDH-DSS-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56],
 ["EXP-EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56],
 ["EXP-RC4-MD5", "TLSv1/SSLv3", 40, 128],
 ["RC4-MD5", "TLSv1/SSLv3", 128, 128],
 ["RC4-SHA", "TLSv1/SSLv3", 128, 128]]
[13] pry(main)> null.sort
=> [["ADH-AES128-SHA", "TLSv1/SSLv3", 128, 128],
 ["ADH-AES256-SHA", "TLSv1/SSLv3", 256, 256],
 ["ADH-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56],
 ["ADH-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168],
 ["ADH-RC4-MD5", "TLSv1/SSLv3", 128, 128],
 ["EXP-ADH-DES-CBC-SHA", "TLSv1/SSLv3", 40, 128],
 ["EXP-ADH-RC4-MD5", "TLSv1/SSLv3", 40, 128]]

All the aNULL ciphers use anonymous diffie-helman. None of the DEFAULT ones do.

As a workaround, I think I can generate my own list of ciphers using this kind of hack:


def ciphers(string)
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.ciphers = string
  ctx.ciphers
end

Then doing something like:

ctx.ciphers = ciphers("DEFAULT") - ciphers("aNULL") - ciphers("eNULL") ...
@jordansissel
Copy link
Contributor Author

Environment details:

jruby 1.7.16 (1.9.3p392) 2014-09-25 575b395 on OpenJDK 64-Bit Server VM 1.7.0_65-b32 +jit [linux-amd64]
java version "1.7.0_65"
OpenJDK Runtime Environment (IcedTea 2.5.2) (7u65-2.5.2-3~14.04)
OpenJDK 64-Bit Server VM (build 24.65-b04, mixed mode)

@jordansissel
Copy link
Contributor Author

Present in JRuby 1.7.17. I'm hoping to tackle this in the next few weeks, but no promises :)

@MSNexploder MSNexploder mentioned this issue Jun 11, 2017
Merged
kares pushed a commit to jruby/jruby-openssl that referenced this issue Jun 12, 2017
@MSNexploder @kares
move "DEFAULT" handling right into CipherStrings (#136)
0045ab7 
move "DEFAULT" special case handling further down and match OpenSSL behaviour
fixes jruby/jruby#2193
@kares kares added the openssl label Jun 12, 2017
@kares
Copy link
Member

kares commented Jun 12, 2017

a fix from @MSNexploder is expected to be part of jruby-openssl >= 0.9.21

@kares kares added this to the Non-Release milestone Jun 12, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl
Projects
None yet
Milestone
Non-Release
Development

Successfully merging a pull request may close this issue.

move "DEFAULT" handling right into CipherStrings MSNexploder/jruby-openssl
2 participants
@kares @jordansissel