Netty: Unsupported cipher suite: ECDHE-ECDSA-AES128-SHA256(ECDHE-ECDSA-AES128-SHA256)

Created on 13 Nov 2019  Â·  4Comments  Â·  Source: netty/netty

Expected behavior

I have this problem when I upgraded netty 4.1.24.Final and netty-tcnative-boringssl-static 2.0.7.Final to netty 4.1.43.Final and netty-tcnative-boringssl-static 2.0.27.Final

Error Stack:

java.lang.IllegalArgumentException: Unable to build SslContext
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.newMessageSender(SagaLoadBalanceSenderWithTLSTest.java:70)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.<init>(SagaLoadBalanceSenderWithTLSTest.java:50)
Caused by: javax.net.ssl.SSLException: failed to set cipher suite: [ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256]
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.newMessageSender(SagaLoadBalanceSenderWithTLSTest.java:70)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.<init>(SagaLoadBalanceSenderWithTLSTest.java:50)
Caused by: java.lang.IllegalArgumentException: unsupported cipher suite: ECDHE-ECDSA-AES128-SHA256(ECDHE-ECDSA-AES128-SHA256)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.newMessageSender(SagaLoadBalanceSenderWithTLSTest.java:70)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.<init>(SagaLoadBalanceSenderWithTLSTest.java:50)

broadcastConnectionAndDisconnection(org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest)  Time elapsed: 0 sec  <<< ERROR!
java.lang.IllegalArgumentException: Unable to build SslContext
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.newMessageSender(SagaLoadBalanceSenderWithTLSTest.java:70)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.<init>(SagaLoadBalanceSenderWithTLSTest.java:50)
Caused by: javax.net.ssl.SSLException: failed to set cipher suite: [ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA256]
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.newMessageSender(SagaLoadBalanceSenderWithTLSTest.java:70)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.<init>(SagaLoadBalanceSenderWithTLSTest.java:50)
Caused by: java.lang.IllegalArgumentException: unsupported cipher suite: ECDHE-ECDSA-AES128-SHA256(ECDHE-ECDSA-AES128-SHA256)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.newMessageSender(SagaLoadBalanceSenderWithTLSTest.java:70)
    at org.apache.servicecomb.pack.omega.connector.grpc.saga.SagaLoadBalanceSenderWithTLSTest.<init>(SagaLoadBalanceSenderWithTLSTest.java:50)

The SSL.getCiphers(ssl) in the 4.1.24.Final and 4.1.43.Final versions of the OpenSsl.java class return different data.

4.1.24.Final SSL.getCiphers(ssl) return the following data(include ECDHE-ECDSA-AES128-SHA256)

0 = "ECDHE-ECDSA-AES128-GCM-SHA256"
1 = "ECDHE-RSA-AES128-GCM-SHA256"
2 = "ECDHE-ECDSA-AES256-GCM-SHA384"
3 = "ECDHE-RSA-AES256-GCM-SHA384"
4 = "ECDHE-ECDSA-CHACHA20-POLY1305"
5 = "ECDHE-RSA-CHACHA20-POLY1305"
6 = "ECDHE-PSK-CHACHA20-POLY1305"
7 = "ECDHE-ECDSA-AES128-SHA"
8 = "ECDHE-ECDSA-AES128-SHA256"
9 = "ECDHE-RSA-AES128-SHA"
10 = "ECDHE-RSA-AES128-SHA256"
11 = "ECDHE-PSK-AES128-CBC-SHA"
12 = "ECDHE-ECDSA-AES256-SHA"
13 = "ECDHE-ECDSA-AES256-SHA384"
14 = "ECDHE-RSA-AES256-SHA"
15 = "ECDHE-RSA-AES256-SHA384"
16 = "ECDHE-PSK-AES256-CBC-SHA"
17 = "AES128-GCM-SHA256"
18 = "AES256-GCM-SHA384"
19 = "AES128-SHA"
20 = "AES128-SHA256"
21 = "PSK-AES128-CBC-SHA"
22 = "AES256-SHA"
23 = "AES256-SHA256"
24 = "PSK-AES256-CBC-SHA"
25 = "DES-CBC3-SHA"

4.1.34.Final SSL.getCiphers(ssl) return the following data,(exclusive ECDHE-ECDSA-AES128-SHA256)

0 = "ECDHE-ECDSA-AES128-GCM-SHA256"
1 = "ECDHE-RSA-AES128-GCM-SHA256"
2 = "ECDHE-ECDSA-AES256-GCM-SHA384"
3 = "ECDHE-RSA-AES256-GCM-SHA384"
4 = "ECDHE-ECDSA-CHACHA20-POLY1305"
5 = "ECDHE-RSA-CHACHA20-POLY1305"
6 = "ECDHE-PSK-CHACHA20-POLY1305"
7 = "ECDHE-ECDSA-AES128-SHA"
8 = "ECDHE-RSA-AES128-SHA"
9 = "ECDHE-PSK-AES128-CBC-SHA"
10 = "ECDHE-ECDSA-AES256-SHA"
11 = "ECDHE-RSA-AES256-SHA"
12 = "ECDHE-PSK-AES256-CBC-SHA"
13 = "AES128-GCM-SHA256"
14 = "AES256-GCM-SHA384"
15 = "AES128-SHA"
16 = "PSK-AES128-CBC-SHA"
17 = "AES256-SHA"
18 = "PSK-AES256-CBC-SHA"
19 = "DES-CBC3-SHA"
20 = "TLS_AES_128_GCM_SHA256"
21 = "TLS_AES_256_GCM_SHA384"
22 = "TLS_CHACHA20_POLY1305_SHA256"
23 = "AEAD-AES128-GCM-SHA256"
24 = "AEAD-AES256-GCM-SHA384"
25 = "AEAD-CHACHA20-POLY1305-SHA256"

Netty version

netty 4.1.43.Final
netty-tcnative-boringssl-static 2.0.27.Final

JVM version (e.g. java -version)

java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)

OS version (e.g. uname -a)

Darwin bogon 18.2.0 Darwin Kernel Version 18.2.0: Thu Dec 20 20:46:53 PST 2018; root:xnu-4903.241.1~1/RELEASE_X86_64 x86_64
OpenSSL 1.1.1c 28 May 2019

picture coolbeevip

Most helpful comment

You want TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, which OpenSSL calls ECDHE-ECDSA-AES128-GCM-SHA256. The version without the "GCM" is a legacy CBC mode cipher which was constructed wrong (see the Lucky 13 attack). AES-GCM is more secure and faster. Most chips have hardware support for GHASH, and the workarounds necessary to mitigate Lucky 13 cost a significant slowdown. This cipher suite also have a high byte overhead, second only to its SHA-384 cousin.

This cipher suite is terrible. :-)

picture davidben on 13 Nov 2019
👍2

All 4 comments

@coolbeevip its expected... BoringSSL not supports this cipher anymore /cc @davidben

normanmaurer picture normanmaurer on 13 Nov 2019
👍1

You want TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, which OpenSSL calls ECDHE-ECDSA-AES128-GCM-SHA256. The version without the "GCM" is a legacy CBC mode cipher which was constructed wrong (see the Lucky 13 attack). AES-GCM is more secure and faster. Most chips have hardware support for GHASH, and the workarounds necessary to mitigate Lucky 13 cost a significant slowdown. This cipher suite also have a high byte overhead, second only to its SHA-384 cousin.

This cipher suite is terrible. :-)

davidben picture davidben on 13 Nov 2019
👍2

Thanks @davidben 🎉

normanmaurer picture normanmaurer on 13 Nov 2019

@normanmaurer @davidben Thank both of you!!!

coolbeevip picture coolbeevip on 13 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Scottmitch picture Scottmitch  Â·  5Comments
wilkinsona picture wilkinsona  Â·  5Comments
normanmaurer picture normanmaurer  Â·  3Comments
philsttr picture philsttr  Â·  3Comments
pylight picture pylight  Â·  4Comments