Bug 59081 - Cipher ordering not working
Summary: Cipher ordering not working
Status: CLOSED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-26 23:18 UTC by Ognjen Blagojevic
Modified: 2016-05-25 14:05 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ognjen Blagojevic 2016-02-26 23:18:04 UTC
If I configure JSSE connector (NIO) with JSSE implementation, and explicit JSSE ciphers list, my resulting list of enabled ciphers is ordered differently from what I configured.

The reason for that seems to be in method SSLUtilBase.getEnabled which creates list of enabled ciphers like this:

  enabled.addAll(implemented);
  enabled.retainAll(configured);

Resulting List contains intersection between configured and implemented ciphers, but having the order of implemented ciphers, and that is not what the user wants. I guess, it should keep the order of configured ciphers, like this:

  enabled.addAll(configured);
  enabled.retainAll(implemented);

Right?


The second issue with cipher ordering is that OpenSSLCipherConfigurationParser.parse always returns:

  return defaultSort(ciphers);

I am not sure what's the intention here, because defaultSort method may change user-defined cipher order.


My cipher configuration:

[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]

defaultSort(ciphers) changes order to:

[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA]

And getEnabled changes order to:

[TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA]
Comment 1 Mark Thomas 2016-03-03 11:16:31 UTC
Good catch.

I've fixed both those issues for 9.0.x (9.0.0.M4 onwards). 8.0.x is only affected by the defaultSort() issue. that has been fixed for 8.0.33 onwards.