[jira] Created: (CXF-1456) Investigate a more sensible set of default cipher suites

Thu, 28 Feb 2008 07:14:55 -0800 

Investigate a more sensible set of default cipher suites
--------------------------------------------------------

                 Key: CXF-1456
                 URL: https://issues.apache.org/jira/browse/CXF-1456
             Project: CXF
          Issue Type: Bug
    Affects Versions: 2.0.4
         Environment: Ubuntu Linux 7.10, Sun JRE 1.5.0_13-b05, standard JCE 
jurisdiction policy ('unlimited' policy not installed)

            Reporter: Travis Gebhardt
            Priority: Minor


I've been working on upgrading an older XFire client to CXF and hit some 
problems connecting to a HTTPS endpoint.

The new CXF client kept failing with SSL handshake errors. After doing some 
research and comparisons to the working XFire client, I discovered that the 
handshake was failing because the cipher suite, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
was missing from the default cipher list in CXF. I had expected this to "just 
work" since my XFire client didn't do anything special with cipher suites. 
After adding SSL_RSA_WITH_3DES_EDE_CBC_SHA to the CXF client 's cipher suites 
list, the handshake worked fine.

According to Donal, 3DES_EDE_CBC_SHA is a commonly used and strong cipher 
suite. Perhaps it makes sense to add this and other sensible cipher suites to 
the default cipher suite list? If there is a  reason why it shouldn't be added 
then it would be helpful to add a note on the XFire to CXF upgrade document 
describing the differences in default cipher suites so that others won't face 
this same issue when upgrading clients.

For the original post to cxf-users and Donal's reply which offers some 
guidelines for choosing sensible default cipher suites, please see this:
http://www.nabble.com/upgrading-from-XFire---SSL-handshake-errors-td15725238.html

Failed handshake logs:

INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, 
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, 
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, 
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, 
TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, 
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
%% No cached client session
*** ClientHello, SSLv3
RandomCookie:  GMT: 1187298740 bytes = { 113, 45, 193, 158, 214, 231, 11, 225, 
197, 38, 3, 179, 175, 26, 25, 234, 108, 241, 155, 106, 191, 62, 221, 65, 209, 
8, 182, 48 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, 
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, 
SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, 
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, 
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, 
TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, 
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Compression Methods:  { 0 }
***
WRITE: SSLv3 Handshake, length = 79
WRITE: SSLv2 client hello message, length = 101
READ: SSLv3 Alert, length = 2
RECV TLSv1 ALERT:  fatal, handshake_failure
called closeSocket()
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure
Feb 27, 2008 2:49:08 PM org.apache.cxf.phase.PhaseInterceptorChain doIntercept
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter.
        at 
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:136)
        at 
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:76)
        at 
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:57)
        at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:208)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
        at 
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
        at $Proxy48.localAuthenticationQuery(Unknown Source) ...
Caused by: javax.xml.stream.XMLStreamException
        at 
com.sun.xml.stream.writers.XMLStreamWriterImpl.writeStartElement(XMLStreamWriterImpl.java:1210)
        at 
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:95)
        ... 16 more



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to