jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

jruby-openssl 0.9.7 omits ECDHE cipher suites from its set_params default cipher suite list

Open aetherknight opened this issue 10 years ago • 2 comments

If you do not call set_params on an SSLContext, jruby-openssl supports ECDHE cipher suites, although it does prefer EXPORT cipher suites over better cipher suites.

If you do call set_params, then you lose the better cipher suites.

Version details

$ java -version
java version "1.7.0_55"
Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)

$ jruby --version
jruby 1.7.20.1 (1.9.3p551) 2015-06-10 d7c8c27 on Java HotSpot(TM) 64-Bit Server VM 1.7.0_55-b13 +jit [darwin-x86_64]

jruby-openssl without set_params:

$ jruby -ropenssl -e 'OpenSSL::SSL::SSLContext.new.ciphers.each { |c| p c}'
["EXP-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56]
["EXP-EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56]
["EXP-EDH-DSS-DES-CBC-SHA", "TLSv1/SSLv3", 40, 56]
["EXP-RC4-MD5", "TLSv1/SSLv3", 40, 128]
["DES-CBC-SHA", "TLSv1/SSLv3", 56, 56]
["EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56]
["ECDHE-ECDSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256]
["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256]
["ECDH-ECDSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256]
["ECDH-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256]
["ECDHE-ECDSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["AES128-SHA", "TLSv1/SSLv3", 128, 128]
["ECDH-ECDSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["ECDH-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DHE-DSS-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["RC4-SHA", "TLSv1/SSLv3", 128, 128]
["RC4-MD5", "TLSv1/SSLv3", 128, 128]
["DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
["EDH-RSA-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
["EDH-DSS-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
["ECDHE-ECDSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["AES256-SHA", "TLSv1/SSLv3", 256, 256]
["ECDH-ECDSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["ECDH-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["DHE-DSS-AES256-SHA", "TLSv1/SSLv3", 256, 256]

jruby-openssl with set_params

$ jruby -ropenssl -e 'context=OpenSSL::SSL::SSLContext.new; context.set_params; context.ciphers.each { |c| p c}'
["AES256-SHA", "TLSv1/SSLv3", 256, 256]
["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["DHE-DSS-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DHE-DSS-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
["EDH-RSA-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
["EDH-DSS-DES-CBC3-SHA", "TLSv1/SSLv3", 168, 168]
["RC4-SHA", "TLSv1/SSLv3", 128, 128]
["RC4-MD5", "TLSv1/SSLv3", 128, 128]
["DES-CBC-SHA", "TLSv1/SSLv3", 56, 56]
["EDH-RSA-DES-CBC-SHA", "TLSv1/SSLv3", 56, 56]

MRI 2.2 (and 2.0-p645) with set_params

$ ruby -ropenssl -e 'context=OpenSSL::SSL::SSLContext.new; context.set_params; context.ciphers.each { |c| p c}'
["ECDHE-ECDSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128]
["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128]
["ECDHE-ECDSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256]
["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256]
["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128]
["DHE-DSS-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128]
["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256]
["DHE-DSS-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256]
["ECDHE-ECDSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128]
["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128]
["ECDHE-ECDSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["ECDHE-ECDSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256]
["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256]
["ECDHE-ECDSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128]
["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256]
["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["DHE-DSS-AES128-SHA256", "TLSv1/SSLv3", 128, 128]
["DHE-DSS-AES256-SHA256", "TLSv1/SSLv3", 256, 256]
["DHE-DSS-AES128-SHA", "TLSv1/SSLv3", 128, 128]
["DHE-DSS-AES256-SHA", "TLSv1/SSLv3", 256, 256]
["AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128]
["AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256]
["AES128-SHA256", "TLSv1/SSLv3", 128, 128]
["AES256-SHA256", "TLSv1/SSLv3", 256, 256]
["AES128-SHA", "TLSv1/SSLv3", 128, 128]
["AES256-SHA", "TLSv1/SSLv3", 256, 256]
["ECDHE-ECDSA-RC4-SHA", "TLSv1/SSLv3", 128, 128]
["ECDHE-RSA-RC4-SHA", "TLSv1/SSLv3", 128, 128]
["RC4-SHA", "TLSv1/SSLv3", 128, 128]

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/22431864-jruby-openssl-0-9-7-omits-ecdhe-cipher-suites-from-its-set_params-default-cipher-suite-list?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).

aetherknight avatar Jun 19 '15 01:06 aetherknight

It also appears to prefer AES256-SHA over DHE cipher suites that provide foward secrecy (albeit usually with 1024-bit finite field diffie hellman).

aetherknight avatar Jun 19 '15 01:06 aetherknight

for anyone landing here, please read the comment at https://github.com/jruby/jruby-openssl/issues/50#issuecomment-114456686

kares avatar Jun 23 '15 11:06 kares