[JBoss JIRA] (WFLY-11669) iiop-openjdk ignores cipher-suite-filter with openssl provider

Monday, 4 February 2019

     [
https://issues.jboss.org/browse/WFLY-11669?page=com.atlassian.jira.plugin...
]

David Everly updated WFLY-11669:
--------------------------------
    Description: 
When using the "openssl" provider, the cipher-suite-filter is respected by
undertow, but ignored by iiop-openjdk (modified standalone-full.xml):

{noformat}
                <server-ssl-contexts>  
                    <server-ssl-context name="openssl-serversslcontext"
cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
protocols="TLSv1.2" key-manager="wildfly-keymanager"
providers="openssl"/>  
                </server-ssl-contexts>  
                <client-ssl-contexts>  
                    <client-ssl-context name="iiop-clientsslcontext"
cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>  
                </client-ssl-contexts>  
            </tls>  
        </subsystem>  
        <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">  
            <orb socket-binding="iiop"
ssl-socket-binding="iiop-ssl"/>  
            <initializers security="identity"
transactions="spec"/>  
            <security support-ssl="true"
server-ssl-context="openssl-serversslcontext"
client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true"
client-requires-ssl="false"/>  
            <interop iona="true"/>  
        </subsystem>  
{noformat}

See also:

* https://developer.jboss.org/message/987804#987804
* https://github.com/mozilla/cipherscan.git

  was:
When using the "openssl" provider, the cipher-suite-filter is respected by
undertow, but ignored by iiop-openjdk:

{noformat}
                <server-ssl-contexts>  
                    <server-ssl-context name="openssl-serversslcontext"
cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
protocols="TLSv1.2" key-manager="wildfly-keymanager"
providers="openssl"/>  
                </server-ssl-contexts>  
                <client-ssl-contexts>  
                    <client-ssl-context name="iiop-clientsslcontext"
cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>  
                </client-ssl-contexts>  
            </tls>  
        </subsystem>  
        <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">  
            <orb socket-binding="iiop"
ssl-socket-binding="iiop-ssl"/>  
            <initializers security="identity"
transactions="spec"/>  
            <security support-ssl="true"
server-ssl-context="openssl-serversslcontext"
client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true"
client-requires-ssl="false"/>  
            <interop iona="true"/>  
        </subsystem>  
{noformat}

See also:

* https://developer.jboss.org/message/987804#987804
* https://github.com/mozilla/cipherscan.git

...
 iiop-openjdk ignores cipher-suite-filter with openssl provider
 --------------------------------------------------------------

                 Key: WFLY-11669
                 URL: https://issues.jboss.org/browse/WFLY-11669
             Project: WildFly
          Issue Type: Bug
          Components: IIOP
    Affects Versions: 15.0.0.Final, 15.0.1.Final
            Reporter: David Everly
            Assignee: Tomasz Adamski
            Priority: Major

 When using the "openssl" provider, the cipher-suite-filter is respected by
undertow, but ignored by iiop-openjdk (modified standalone-full.xml):
 {noformat}
                 <server-ssl-contexts>  
                     <server-ssl-context name="openssl-serversslcontext"
cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
protocols="TLSv1.2" key-manager="wildfly-keymanager"
providers="openssl"/>  
                 </server-ssl-contexts>  
                 <client-ssl-contexts>  
                     <client-ssl-context name="iiop-clientsslcontext"
cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>  
                 </client-ssl-contexts>  
             </tls>  
         </subsystem>  
         <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">  
             <orb socket-binding="iiop"
ssl-socket-binding="iiop-ssl"/>  
             <initializers security="identity"
transactions="spec"/>  
             <security support-ssl="true"
server-ssl-context="openssl-serversslcontext"
client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true"
client-requires-ssl="false"/>  
             <interop iona="true"/>  
         </subsystem>  
 {noformat}
 See also:
 * https://developer.jboss.org/message/987804#987804
 * https://github.com/mozilla/cipherscan.git 

--
This message was sent by Atlassian Jira
(v7.12.1#712002)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006