JSSE patches for HonorCipherOrder and preventing client-initiated renegotiations
Neale Rudd
neale at metawerx.net
Tue Mar 27 05:09:55 PDT 2012
Hi Brad,
Thanks for the reply.
> I'm not an expert in OpenSSL configs, but are you referring to OpenSSL's
> SSL_OP_CIPHER_SERVER_PREFERENCE option:
> or Apache's mod_ssl config option SSLHONORCIPHERORDER:
Sorry, I should have given a better description there.
The feature is SSLHonorCipherOrder in Apache and ssl_prefer_server_ciphers
in nginx, which both use OpenSSL.
In OpenSSL, as you have detailed below, it's
SSL_OP_CIPHER_SERVER_PREFERENCE.
This feature is being used lately by some hosts as one way to mitigate the
BEAST attack, by allowing servers to specify a cipher order which promotes
the use of RC4 on non TLS-1.2 capable connections.
For example:
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
(The idea here being to allow TLS1.2 for capable clients which are not
vulnerable, with a fall-back to to RC4 for TLS1.0 clients).
When using JSSE as a server (ie: Tomcat), there is no way to enforce this
ordering currently since JSSE is hard-coded to use the order suggested by
the client.
The patch I've applied locally allows an option to turn this on at the VM
level. I've since decided it would be useful to make it an option per
connection, so I'm adjusting the patch accordingly at the moment and getting
my OCA signed so I can continue with this proposal.
Best Regards,
Neale
More information about the security-dev
mailing list