[GLASSFISH-11618] Wrong selection of ssl cipher suites Created: 26/Feb/10
Updated:
24/Apr/15 Resolved: 15/Mar/10
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Resolved
glassfish
grizzly-kernel
V3
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Bug
nasradu8
Fixed
None
Not Specified
Issuezilla Id:
11,618
v3.0.1
Priority:
Assignee:
Votes:
Major
Justin Lee
0
Not Specified
Not Specified
Operating System: All
Platform: All
Description
The SSL configuration page in admin GUI says: "If no cipher suite is added, ALL cipher suites will be
chosen."
But, when any app is run with no cipher suite explicitly configured, the following error is observed in
the server log.
[#|2010-0226T16:11:55.318+0530|WARNING|glassfishv3.0|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadI
D=27;_ThreadName=http-thread-pool-8181(3);|pewebcontainer.all_ssl_ciphers_disabled|#]
This essentially means that no cipher suites are configured.
The correct behavior must be to enable a default set which is returned by
SSLSocketFactory.getDefault().getDefaultCipherSuites(), when there are no cipher suites enabled.
Comments
Comment by nasradu8 [ 26/Feb/10 ]
Adding Kumar and Oleksiy to cc list
Comment by kumarjayanti [ 26/Feb/10 ]
changed the target server
Comment by oleksiys [ 26/Feb/10 ]
I guess it's grizzly kernel issue.
Reassigning to Justin to check config module.
Comment by Dies Koper [ 26/Feb/10 ]
Please don't forget to fix the message too. It seems a message key is logged
instead of the real message.
Comment by Dies Koper [ 26/Feb/10 ]
Please don't forget to fix the message too. It seems a message key is logged
instead of the real message.
Comment by nasradu8 [ 01/Mar/10 ]
If any one particular cipher suite is enabled, then the warning dissapears.
Comment by Justin Lee [ 01/Mar/10 ]
One problem here is that the key used to find the logging message in grizzly is
out of sync with what's used in glassfish. I'ved updated that key to match and
changed the logging level to FINE instead of warning. Here's what glassfish
should be logging:
WEB0308: All SSL cipher suites disabled for network-listener
{0}, using SSL
implementation specific default [{0}
]s
So in the absence of any configured ciphers (and protocols), grizzly will use
the defaults as defined by the JDK implementation.
Given the logging level change (to reduce unnecessary chatter) and the
explanation given by the message, I think this bug can be marked as
closed/fixed. Does this satisfy everyone?
Comment by Justin Lee [ 12/Mar/10 ]
alexey removed the logging of this message in grizzly commit 4303
Comment by Justin Lee [ 12/Mar/10 ]
updated messages in grizzly commit 4307
Comment by Justin Lee [ 15/Mar/10 ]
updating target version to 3.0.1. Will require a grizzly integration whose exact
version has not been formally stated. Probably another 1.9.18 mini-release but
that needs to be decided soon.
Comment by HeinBloed [ 24/Apr/15 ]
Is it possible that this bug reappeared in GF 4.1 ...? At least I'm getting this log message with
4.1: "WARNING: All SSL cipher suites disabled for network-listener(s). Using SSL
implementation specific defaults", although I didn't add any cipher suite in the admin GUI, as
described above. I also stumbled across this thread:
http://stackoverflow.com/questions/29726581/cant-use-localhost-version-of-glassfish-4-1server-on-eclipse-luna, where someone else seems to get the same log message, presumably
after not doing any (SSL) reconfigurations either.
EDIT: Actually, I made one modification to the SSL settings (in http-listener-2), I replaced the
default certificate with a self-made one.
Generated at Wed Feb 10 02:47:26 UTC 2016 using JIRA 6.2.3#6260sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.