[CONJ-332] enabledSslCipherSuites driver setting does not enable new ciphers Created: 2016-08-16  Updated: 2016-08-23  Resolved: 2016-08-23

Status: Closed
Project: MariaDB Connector/J
Component/s: Failover
Affects Version/s: 1.5.1-RC
Fix Version/s: 1.5.2

Type: Bug Priority: Critical
Reporter: Kishor Grandhe Assignee: Diego Dupin
Resolution: Fixed Votes: 0
Labels: None

Attachments: Java Source File AbstractConnectProtocol.java    

 Description   

The provided enabledSslCipherSuites in org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.enabledSslCipherSuites(SSLSocket sslSocket) is compared against sslSocket.getEnabledCipherSuites() instead of sslSocket.getSupportedCipherSuites(). This will always fail if you want to enable a new CipherSuite not in the current enabled cipher list.

The enabledSslProtocolSuites is implemented correctly by comparing against sslSocket.getSupportedProtocols().

This functionality is Critical for enabling TLS 1.2 protocol and ciphers on Java 7 to connect to Mariadb

protected void enabledSslCipherSuites(SSLSocket sslSocket) throws QueryException {
if (options.enabledSslCipherSuites != null) {
List<String> possibleCiphers = Arrays.asList(sslSocket.getEnabledCipherSuites());
String[] ciphers = options.enabledSslCipherSuites.split("[,;\\s]+");
for (String cipher : ciphers) {
if (!possibleCiphers.contains(cipher))

{ throw new QueryException("Unsupported SSL cipher '" + cipher + "'. Supported ciphers : " + possibleCiphers.toString().replace("[", "").replace("]", "")); }

}
sslSocket.setEnabledCipherSuites(ciphers);
}
}

protected void enabledSslProtocolSuites(SSLSocket sslSocket) throws QueryException {
if (options.enabledSslProtocolSuites == null) {
sslSocket.setEnabledProtocols(new String[]

{"TLSv1", "TLSv1.1"}

);
} else {
List<String> possibleProtocols = Arrays.asList(sslSocket.getSupportedProtocols());
String[] protocols = options.enabledSslProtocolSuites.split("[,;\\s]+");
for (String protocol : protocols) {
if (!possibleProtocols.contains(protocol))

{ throw new QueryException("Unsupported SSL protocol '" + protocol + "'. Supported protocols : " + possibleProtocols.toString().replace("[", "").replace("]", "")); }

}
sslSocket.setEnabledProtocols(protocols);
}
}

 Comments   
Comment by Kishor Grandhe [ 2016-08-16 ]

Attaching code changes which would enabled additional ciphers based on supported ciphers

Comment by Diego Dupin [ 2016-08-23 ]

right !

changed in next version : commit https://github.com/MariaDB/mariadb-connector-j/commit/789d5590dae93534c75ae9026422af616642b10f

Generated at Thu Feb 08 03:14:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.