TLS cipher selection issue with IBM J9 Java

fragger42 commented 2 years ago

When using Unboundid with a current IBM J9 java, it seems like the TLS selection algorithm of Unboundid does not work properly. I'm using this java: java version "1.8.0_311" Java(TM) SE Runtime Environment (build 8.0.7.0 - pxa6480sr7-20211025_01(SR7)) IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64-Bit Compressed References 20211022_15212 (JIT enabled, AOT enabled) OpenJ9 - 6abb372 OMR - b898db9 IBM - 2f2c48b) JCL - 20210930_01 based on Oracle jdk8u311-b11

On this java, unboundid enables these ciphers only (SSLUtil.getEnabledSSLCipherSuites()): [TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] However, there is no compatible cipher with TLS1.2 servers (at least not with mine).

A list of all ciphers supported by my java vm can be output using: jrunscript -e "java.util.Arrays.asList(javax.net.ssl.SSLServerSocketFactory.getDefault().getSupportedCipherSuites()).stream().forEach(println)" TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 SSL_RSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 SSL_RSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SSL_RSA_WITH_AES_256_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA SSL_ECDH_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA SSL_ECDH_RSA_WITH_AES_128_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

From what I can see the problem is that IBM OpenJ9 names allmost all ciphers with SSL in the beginning but not all. The method selectCipherSuites in com.unboundid.util.ssl.TLSCipherSuiteSelector.java has a logic to use those ciphers with SSL if there are no ciphers beginning with TLS. But here, there are a few ones with TLS (seems like those that were added with TLS1.3 by IBM?) and thus it does not work properly and selects allmost no cipher suites.

dirmgr commented 2 years ago

Thank you for reporting this. The IBM JVM seems to be unique in the way that it names cipher suites, and IBM Java 8 in particular. I tested with the latest Java 11 version, and it seems to only use "TLS_" prefixes.

I had earlier made an earlier update (in the 5.1.4 release of the LDAP SDK) to accommodate IBM JVMs that used only SSL prefixes, but it looks like they're now using a mix of TLS and SSL_ prefixes, so my earlier workaround is longer valid.

I have just committed a set of changes that should cause the LDAP SDK to treat the "SSL" prefix as equivalent to the "TLS" prefix on JVMs in which the vendor string contains "IBM". I tested IBM Java version 1.8.0_321, and before my changes, the set of recommended suites included only the following:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

With the changes in place, the set of recommended suites is now:

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

The changes will be included in the next release of the LDAP SDK, which is expected within the next week or two. You can get them sooner than that if you check out and build the LDAP SDK for yourself.

fragger42 commented 2 years ago

Wow that was fast! I did a test build and it works fine now on my side. Thanks a lot!

pingidentity / ldapsdk

TLS cipher selection issue with IBM J9 Java #125