Customizable list of ciphers in SSL_KEY_EXCHANGE

[Kálmán Jantner]

Hello,

We are using jgroups and a new requirement has come up to restrict the enabled ciphers and forbid all AES 128  related ciphers including jgroups SSL_KEY_EXCHANGE, port 2175.

I tried to configure it via jvm parameters jdk.tls.server.cipherSuites and jdk.tls.client.cipherSuites. I tried to validate the changes with nmap (nmap --script ssl-enum-ciphers -Pn -p 2157 <ID>) but I still saw AES 128 related items.

I tried to investigate it and I found the following:

When port 2175 is created, sslServerSocket returns the proper list of ciphers that has been configured via JVM params. It happens here https://github.com/belaban/JGroups/blob/master/src/org/jgroups/protocols/SSL_KEY_EXCHANGE.java#L447

However when I trigger the nmap it will trigger the accept() method in SSL_KEY_EXCHANGE and I found that the enabled cipher suites contain the expected list of ciphers but it will be overwritten by all supported ciphers. It happens here: https://github.com/belaban/JGroups/blob/master/src/org/jgroups/protocols/SSL_KEY_EXCHANGE.java#L357

As I can see with this approach SSL_KEY_EXCHANGE will ignore all jvm level cipher restrictions.

My proposal would be to introducing a new property where the user can customize the list of ciphers. If it is null the current logic would be used. If you don't have any concerns I'm happy to prepare the code change.

Thanks in advance.

Best Regards,

Kalman Jantner

[Kálmán Jantner]

Hello,

FYI: I have prepared the PR: https://github.com/belaban/JGroups/pull/936

All feedback is welcome

Best Regards,

Kalman Jantner

[Bela Ban]

Thanks Kalman

I created https://issues.redhat.com/browse/JGRP-2937 to keep track of this. Applied your PR manually and backported to the 5.4.x branch.
Thanks! and sorry for the long delay

--
You received this message because you are subscribed to the Google Groups "jgroups-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jgroups-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jgroups-dev/63465ff7-74af-4fc0-84cb-e01fa95bc5abn%40googlegroups.com.

-- 
Bela Ban | http://www.jgroups.org

[Kálmán Jantner]

Thank you for the merge. I saw 5.4.10.Final has been released yesterday.
Do you have a rough estimation when this change will be available in maven central repo?

Thanks in advance.

Kalman

[Bela Ban]

Thanks for the PR! The 5.4.11 release could be asap, but we're having issues with syncing to central atm. Note that the 5.4.10 release *is* in central, but doesn't have your PR.

I hope to release 5.4.11 this week, perhaps as early as tomorrow. If it doesn't sync to central, you could point your mvn to repository.jboss.org/nexus/repository/releases/, this would be temporary only.

Cheers

To view this discussion visit https://groups.google.com/d/msgid/jgroups-dev/577452c6-88fc-49a2-bcb8-3577f72855b9n%40googlegroups.com.

[Kálmán Jantner]

Thank you for the fix and the release as well.

[Bela Ban]

+1

To view this discussion visit https://groups.google.com/d/msgid/jgroups-dev/8636715e-2f15-430e-ab3a-a36917e89712n%40googlegroups.com.