Customizable list of ciphers in SSL_KEY_EXCHANGE

[Kálmán Jantner]

Hello,

We are using jgroups and a new requirement has come up to restrict the enabled ciphers and forbid all AES 128  related ciphers including jgroups SSL_KEY_EXCHANGE, port 2175.

I tried to configure it via jvm parameters jdk.tls.server.cipherSuites and jdk.tls.client.cipherSuites. I tried to validate the changes with nmap (nmap --script ssl-enum-ciphers -Pn -p 2157 <ID>) but I still saw AES 128 related items.

I tried to investigate it and I found the following:

When port 2175 is created, sslServerSocket returns the proper list of ciphers that has been configured via JVM params. It happens here https://github.com/belaban/JGroups/blob/master/src/org/jgroups/protocols/SSL_KEY_EXCHANGE.java#L447

However when I trigger the nmap it will trigger the accept() method in SSL_KEY_EXCHANGE and I found that the enabled cipher suites contain the expected list of ciphers but it will be overwritten by all supported ciphers. It happens here: https://github.com/belaban/JGroups/blob/master/src/org/jgroups/protocols/SSL_KEY_EXCHANGE.java#L357

As I can see with this approach SSL_KEY_EXCHANGE will ignore all jvm level cipher restrictions.

My proposal would be to introducing a new property where the user can customize the list of ciphers. If it is null the current logic would be used. If you don't have any concerns I'm happy to prepare the code change.

Thanks in advance.

Best Regards,

Kalman Jantner

[Kálmán Jantner]

Hello,

FYI: I have prepared the PR: https://github.com/belaban/JGroups/pull/936

All feedback is welcome

Best Regards,

Kalman Jantner