Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Cannot Reproduce
-
Affects Version/s: 2.7.13, 2.7.14, 2.7.15
-
Fix Version/s: None
-
Component/s: Transports
-
Labels:None
-
Environment:
JRE 1.7.0_76, CXF 2.7.13-2.7.15 (previous versions not checked)
-
Estimated Complexity:Moderate
Description
The Java7 JRE has a distinct behavior for client and server ssl sockets (see JSSE reference)
On server socket TLSv1.1 and TLSv1.2 are enabled by default whereas on client socket both are disabled by default (but can be enabled with setEnabledProtocols()).
This settings have been reverted for Java8.
The problem with cxf lies in cxf-rt-transports-http.jar in org.apache.cxf.transport.http.SSLSocketFactoryWrapper.enableCipherSuites(...) :
private Socket enableCipherSuites(Socket s, Object[] logParams) { SSLSocket socket = (SSLSocket)s; if ((socket != null) && (ciphers != null)) { socket.setEnabledCipherSuites(ciphers); } if ((socket != null) && (protocol != null)) { String p[] = findProtocols(protocol, socket.getSupportedProtocols()); if (p != null) { socket.setEnabledProtocols(p); } } if (socket == null) { LogUtils.log(LOG, Level.SEVERE, "PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET", logParams); } return socket; }
This code does not permit to enable the TLSv1.2 only ciphers suites on the client.
It produces
Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[na:1.7.0_76] at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[na:1.7.0_76] at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[na:1.7.0_76] at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
because when setEnabledCipherSuites() is called, TLSv1.2 is not (yet) enabled.
IMHO setEnabledProtocols() should be called first.