SL created CXF-6294:
-----------------------
Summary: Cannot activate TLSv1.2 cipher suites on client on Java7
Key: CXF-6294
URL: https://issues.apache.org/jira/browse/CXF-6294
Project: CXF
Issue Type: Bug
Components: Transports
Affects Versions: 2.7.15, 2.7.14, 2.7.13
Environment: JRE 1.7.0_76, CXF 2.7.13-2.7.15 (previous versions not
checked)
Reporter: SL
The Java7 JRE has a distinct behavior for client and server ssl sockets (see
JSSE reference)
On server socket TLSv1.1 and TLSv1.2 are enabled by default whereas on client
socket both are disabled by default (but can be enabled with
setEnabledProtocols()).
This settings have been reverted for Java8.
The problem with cxf lies in cxf-rt-transports-http.jar in
org.apache.cxf.transport.http.SSLSocketFactoryWrapper.enableCipherSuites(...) :
{code:java}
private Socket enableCipherSuites(Socket s, Object[] logParams) {
SSLSocket socket = (SSLSocket)s;
if ((socket != null) && (ciphers != null)) {
socket.setEnabledCipherSuites(ciphers);
}
if ((socket != null) && (protocol != null)) {
String p[] = findProtocols(protocol,
socket.getSupportedProtocols());
if (p != null) {
socket.setEnabledProtocols(p);
}
}
if (socket == null) {
LogUtils.log(LOG, Level.SEVERE,
"PROBLEM_CREATING_OUTBOUND_REQUEST_SOCKET",
logParams);
}
return socket;
}
{code}
This code does not permit to enable the TLSv1.2 only ciphers suites on the
client.
It produces
{noformat}
Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite
at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[na:1.7.0_76]
at sun.security.ssl.CipherSuiteList.<init>(Unknown Source)
~[na:1.7.0_76]
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown
Source) ~[na:1.7.0_76]
at
org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
{noformat}
because when setEnabledCipherSuites() is called, TLSv1.2 is not (yet) enabled.
IMHO setEnabledProtocols() should be called first.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
