JSSE patches for HonorCipherOrder and preventing client-initiated renegotiations

Neale Rudd neale at metawerx.net
Tue Mar 27 12:09:55 UTC 2012


Hi Brad,

Thanks for the reply.

> I'm not an expert in OpenSSL configs, but are you referring to OpenSSL's
> SSL_OP_CIPHER_SERVER_PREFERENCE option:
> or Apache's mod_ssl config option SSLHONORCIPHERORDER:

Sorry, I should have given a better description there.

The feature is SSLHonorCipherOrder in Apache and ssl_prefer_server_ciphers 
in nginx, which both use OpenSSL.

In OpenSSL, as you have detailed below, it's 
SSL_OP_CIPHER_SERVER_PREFERENCE.

This feature is being used lately by some hosts as one way to mitigate the 
BEAST attack, by allowing servers to specify a cipher order which promotes 
the use of RC4 on non TLS-1.2 capable connections.

For example:
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
(The idea here being to allow TLS1.2 for capable clients which are not 
vulnerable, with a fall-back to to RC4 for TLS1.0 clients).

When using JSSE as a server (ie: Tomcat), there is no way to enforce this 
ordering currently since JSSE is hard-coded to use the order suggested by 
the client.

The patch I've applied locally allows an option to turn this on at the VM 
level.  I've since decided it would be useful to make it an option per 
connection, so I'm adjusting the patch accordingly at the moment and getting 
my OCA signed so I can continue with this proposal.

Best Regards,
Neale




More information about the security-dev mailing list