35765 – make the SSL cipher config in server.xml fail safe, i.e. 128+ bit strength by default

Bug 35765 - make the SSL cipher config in server.xml fail safe, i.e. 128+ bit strength by default

Summary: make the SSL cipher config in server.xml fail safe, i.e. 128+ bit strength by...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Tomcat 5
Classification:	Unclassified
Component:	Connector:Coyote (show other bugs)
Version:	Nightly Build
Hardware:	Other All

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:	http://java.sun.com/j2se/1.5.0/docs/g...
Keywords:

Depends on:
Blocks:

Reported:	2005-07-16 14:21 UTC by Ralf Hauser
Modified:	2007-03-25 07:51 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralf Hauser 2005-07-16 14:21:29 UTC

When just taking the samples, even null ciphers are accepted!

How about 
1) defining a default cipher suite equivalent to the "MEDIUM:HIGH"
of openssl (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS) that
is also used by the apache httpd
(http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite)

2) changing org.apache.tomcat.util.net.jsse.JSSESocketFactory.getEnabledCiphers
for the case that 
    requestedCiphers == null
not simply do a 
     enabledCiphers = supportedCiphers;
but use this fail-safe default cipher suite (based upon the above-referenced
JSSERefGuide.html)?

as a quick-fix, I suggest to add a well-visible warning to ssl-howto.xml

Comment 1 Ralf Hauser 2005-07-17 14:45:47 UTC

for jdk1.5, I guess this could be a list to start with: 
public static String
MEDIUM_HIGH="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_RC4_128_SHA,
         SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
         SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
         SSL_DH_anon_WITH_RC4_128_MD5,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
         SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
         TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
         TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
         TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_256_CBC_SHA,
         TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
         TLS_KRB5_WITH_RC4_128_MD5,  TLS_KRB5_WITH_RC4_128_SHA,
         TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA";

obviously, there should be also a keyword "ALL" that equals to 
   sslProxy.getSupportedCipherSuites()

Comment 2 Ralf Hauser 2005-09-13 16:26:56 UTC

an easy outside discovery is described in
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1162 

the related issues in we-axis is http://issues.apache.org/jira/browse/AXIS-2216
(client side).

Comment 3 Yoav Shapira 2007-03-25 07:51:31 UTC

Ralf, it's been two years almost since you filed this issue, and a few months
since you've been a committer with the ability to fix it yourself.  Since it
hasn't been done, and no one's complained or voted or even expressed interest,
I'm guessing it's not going to happen.  Unless you want to do it, in which case
feel free to reopen and then address the issue.