546896 – ECF filetransfer.httpclient4 and internal.ssl contain insecure iteration code for https.protocols

Bug 546896 - ECF filetransfer.httpclient4 and internal.ssl contain insecure iteration code for https.protocols

Summary: ECF filetransfer.httpclient4 and internal.ssl contain insecure iteration code...

Status:	RESOLVED FIXED

Alias:	None

Product:	ECF
Classification:	RT
Component:	ecf.filetransfer (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 major (vote)
Target Milestone:	---
Assignee:	Scott Lewis
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-05-01 13:46 EDT by Rubin Simons
Modified:	2019-06-17 15:41 EDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rubin Simons

2019-05-01 13:46:15 EDT

Discovered while trying to find cause of issue as discussed here: https://github.com/eclipse/openj9/issues/5629

The following files contain iteration code that loops over the system property https.protocols and select the *first* protocol that succesfully (without exception) initializes instead of the *highest grade* protocol first and backing down:

./framework/bundles/org.eclipse.ecf.ssl/src/org/eclipse/ecf/internal/ssl/ECFSSLServerSocketFactory.java
./framework/bundles/org.eclipse.ecf.ssl/src/org/eclipse/ecf/internal/ssl/ECFSSLSocketFactory.java
./providers/bundles/org.eclipse.ecf.provider.filetransfer.httpclient4/src/org/eclipse/ecf/provider/filetransfer/httpclient4/HttpClientDefaultSSLSocketFactoryModifier.java

The consequence of this is that when someone passes for example the parameter

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

The iterators in the files above will first test TLSv1, then TLSv1.1 and finally TLSv1.2. Due to the break statement, they will abort the loop after succesful initialization. In many cases, given the above https.protocols, they will select TLSv1 to interact with the remote site, which actually might support TLSv1.2 also

Ideally, the code would refer to an known list of supported protocols, mayhaps associate a score or preference for them and always re-order the list by preference. I'm not sure, but I think standard Java is doing that normally when you specify multiple protocols, somewhere buried in the JRE.

Also, an improvement would be to make this code singular, maybe a helper function, to avoid the triple copied implementations.

Comment 1 Scott Lewis

2019-05-01 22:17:57 EDT


fixed in commit:  https://git.eclipse.org/c/ecf/org.eclipse.ecf.git/commit/?id=cea01f8d7208697190accf1304fb71c1abd198af

Fixed by ordering/prioritizing https.protocols and their use for creating SSLContext in org.eclipse.ecf.ssl classes and org.eclipse.ecf.providers.httpclient4 class.   Refactored in org.eclipse.ecf.ssl to share a class.  Since httpclient4 and org.eclipse.ecf.ssl do not share a common parent bundle ended up duplicating the same logic in org.eclipse.ecf.provider.httpclient4.  At least down to 2 impls instead of 3.

Thanks for the report.

Comment 2 Rubin Simons

2019-06-17 15:03:06 EDT

Hi Scott, quick question: In what release version of ECF will this show up? Will that version of ECF show up in existing Eclipse releases or will it only be available in new versions of Eclipse?

Comment 3 Scott Lewis

2019-06-17 15:41:07 EDT

(In reply to Rubin Simons from comment #2)
> Hi Scott, quick question: In what release version of ECF will this show up?
> Will that version of ECF show up in existing Eclipse releases or will it
> only be available in new versions of Eclipse?

See answer on this comment:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546894#c3