[jira] Created: (CXF-2633) wrong cipher suites reported for webservice-server with https

[Michael Abmayer (JIRA)]

wrong cipher suites reported for webservice-server with https
-------------------------------------------------------------

                 Key: CXF-2633
                 URL: https://issues.apache.org/jira/browse/CXF-2633
             Project: CXF
          Issue Type: Bug
          Components: Transports
    Affects Versions: 2.2.5, 2.2.6
         Environment: Debian Linux 2.6.26-2-686, java version "1.5.0_17"
            Reporter: Michael Abmayer
            Priority: Minor


The ciphers suites which are reported to be set on a webservice-server seem to 
be those which are disselected. Intended behavior would be to report the 
selected cipher suites.

For a webservice-client everything seems ok.

How to reproduce:
In the wsdl_first_https-Sample-Application is the file 
/src/demo/hw_https/server/CherryServer.xml
The ciphers are configured as follows:

        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:include>.*_WITH_DES_.*</sec:include>
        <sec:include>.*_WITH_NULL_.*</sec:include>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>

if you call  {{mvn  -Pserver}}  this results in the following output:
[INFO] INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, 
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, 
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, 
TLS_KRB5_WITH_3DES_EDE_CBC_MD5

Although DH_anon-ciphers are excluded, they show up in the list.

When I try to exclude some more Ciphersuites:

        <sec:include>.*_EXPORT_.*</sec:include>
        <sec:include>.*_EXPORT1024_.*</sec:include>
        <sec:exclude>.*_WITH_DES_.*</sec:exclude>
        <sec:exclude>.*_WITH_NULL_.*</sec:exclude>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
[INFO] INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, 
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, 
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, 
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, 
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, 
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, 
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

The list gets longer!

When I exclude all (although this makes not really sense):
        <sec:exclude>.*_EXPORT_.*</sec:exclude>
        <sec:exclude>.*_EXPORT1024_.*</sec:exclude>
        <sec:exclude>.*_WITH_DES_.*</sec:exclude>
        <sec:exclude>.*_WITH_NULL_.*</sec:exclude>
        <sec:exclude>.*_DH_anon_.*</sec:exclude>
[INFO] INFO: The cipher suites have been set to SSL_RSA_WITH_RC4_128_MD5, 
SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, 
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, 
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, 
TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 
SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, 
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, 
TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, 
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, 
TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, 
TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, 
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.  
[INFO] 2010-01-24 19:19:40.440::WARN:  EXCEPTION 
[INFO] javax.net.ssl.SSLException: No available certificate or key corresponds 
to the SSL cipher suites which are enabled.
[INFO]  at 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:303)
[INFO]  at 
com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:253)
[INFO]  at 
org.mortbay.jetty.security.SslSocketConnector.accept(SslSocketConnector.java:172)
[INFO]  at 
org.mortbay.jetty.AbstractConnector$Acceptor.run(AbstractConnector.java:707)
[INFO]  at 
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

The list is even longer! But now there is no suitable Cipher?!

If you compare the first and the last cipherlist, the ciphers which are 
additional to the last example are exactly those which should be instead 
reported in the first example.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.