[JBoss JIRA] (WFCORE-3448) Unable to set multiple ssl protocols and ciphers on security-realms using system properties
by Derek Horton (JIRA)
Derek Horton created WFCORE-3448:
------------------------------------
Summary: Unable to set multiple ssl protocols and ciphers on security-realms using system properties
Key: WFCORE-3448
URL: https://issues.jboss.org/browse/WFCORE-3448
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Derek Horton
Assignee: Brian Stansberry
It is not possible to set the ssl protocol and ciphers on a security-realm using system property if multiple protocols and/or ciphers are needed.
Setting the "enabled-cipher-suites" and "enabled-protocols" using a system property works if the system property value resolves to a single value ("TLSv1.2" for example).
An error is thrown if the system property has multiple values (-Dtlsversion="TLSv1.1 TLSv1.2"). Here is the error that is generated:
13:20:43,315 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ManagementRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ManagementRealm.ssl-context: WFLYDM0096: No protocols in common, supported=([SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]), requested=([TLSv1.1 TLSv1.2])
at org.jboss.as.domain.management.security.SSLContextService.wrapSslContext(SSLContextService.java:137)
at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:102)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 1 month
[JBoss JIRA] (WFLY-9597) UndertowSubsystemParser_5_0 could be instantiated twice: once as a reader and once as a writer
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFLY-9597?page=com.atlassian.jira.plugin.... ]
Brian Stansberry edited comment on WFLY-9597 at 12/5/17 1:14 PM:
-----------------------------------------------------------------
Part of the reason I filed WFCORE-3441 is I wanted consideration of this kind thing before people started just blindly moving to a Supplier in order to make a deprecation warn go away.
There are a number of intersecting factors to balance in all this.
1) If the parsers and marshallers are basically stateless objects, the class space for the Supplier is more than the cost of an object.
2) A PersistentResourceXMLParser implementation may or may not be stateless, depending on how it is coded. Some store the PersistentResourceXMLDescription in a static field (making the class itself somewhat heavy but an instance stateless), some in an instance field, and some calculate it on the fly.
3) For the current version of a parser, it's actually important to boot time that a PersistentResourceXMLDescription be created during Extension.initializeParsers and not deferred to when parsing happens. Extension.initializeParsers is done concurrently while parsing is single threaded, and creating the PersistentResourceXMLDescription ends up being the trigger that loads most of the extension's management model classes, creates AttributeDefinitions etc.
Likely the most efficient way to do this with a PersistentResourceXMLParser is:
{code}
class FooExtension implements Extension {
private volatile PersistentResourceXmlParser currentParserMarshaller;
private PersistentResourceXmlParser getCurrentParserMarshaller() {
PersistentResourceXmlParser result = currentParserMarshaller;
if (result == null) {
result = currentParserMarshaller = new FooParser3_0();
}
return result;
}
public void initializeParsers(ExtensionParsingContext context) {
.... register legacy parsers using the Supplier API
context.setSubsystemXmlMapping("foo", FOO_3_URI, getCurrentParserMarshaller());
}
public void initialize(ExtensionContext context) {
.... do the other stuff
subsystem.registerXMLElementWriter(getCurrentParserMarshaller());
}
}
{code}
The PersistentResourceXmlParser subclass itself would not cache the PersistentResourceXMLDescription, it would create it when asked. The ExtensionRegistry itself triggers a single-use caching of the PersistentResourceXMLDescription if a PersistentResourceXmlParser is passed to context.setSubsystemXmlMapping. It's a single use cache, so when the document is parsed at boot it would be discarded.
All of this is black art, which sucks. But barring a rewrite of Extension etc, which isn't happening for WF 12, I think black art is what we need to do.
was (Author: brian.stansberry):
Part of the reason I filed WFCORE-3441 is I wanted consideration of this kind thing before people started just blindly moving to a Supplier in order to make a deprecation warn go away.
There are a number of intersecting factors to balance in all this.
1) If the parsers and marshallers are basically stateless objects, the class space for the Supplier is more than the cost of an object.
2) A PersistentResourceXMLParser implementation may or may not be stateless, depending on how it is coded. Some store the PersistentResourceXMLDescription in a static field (making the class itself somewhat heavy but an instance stateless), some in an instance field, and some calculate it on the fly.
3) For the current version of a parser, it's actually important to boot time that a PersistentResourceXMLDescription be created during Extension.initializeParsers and not deferred to when parsing happens. Extension.initializeParsers is done concurrently while parsing is single threaded, and creating the PersistentResourceXMLDescription ends up being the trigger that loads most of the extensions management model classes, creates AttributeDefinitions etc.
Likely the most efficient way to do this with a PersistentResourceXMLParser is:
{code}
class FooExtension implements Extension {
private volatile PersistentResourceXmlParser currentParserMarshaller;
private PersistentResourceXmlParser getCurrentParserMarshaller() {
PersistentResourceXmlParser result = currentParserMarshaller;
if (result == null) {
result = currentParserMarshaller = new FooParser3_0();
}
return result;
}
public void initializeParsers(ExtensionParsingContext context) {
.... register legacy parsers using the Supplier API
context.setSubsystemXmlMapping("foo", FOO_3_URI, getCurrentParserMarshaller());
}
public void initialize(ExtensionContext context) {
.... do the other stuff
subsystem.registerXMLElementWriter(getCurrentParserMarshaller());
}
}
{code}
That's kind of fussy code, but oh well.
> UndertowSubsystemParser_5_0 could be instantiated twice: once as a reader and once as a writer
> ----------------------------------------------------------------------------------------------
>
> Key: WFLY-9597
> URL: https://issues.jboss.org/browse/WFLY-9597
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Reporter: Radoslav Husar
> Assignee: Tomaz Cerar
>
> The org.wildfly.extension.undertow.UndertowSubsystemParser_5_0#xmlDescription could be created twice, the first and last line in the diff should return the same instance or use different approach: https://github.com/rhusar/wildfly/blob/7dbc8bd0c8bcdae5db61ecdff1484a422c...
> Most likely the same issue is in multiple places.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 1 month
[JBoss JIRA] (WFLY-9597) UndertowSubsystemParser_5_0 could be instantiated twice: once as a reader and once as a writer
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFLY-9597?page=com.atlassian.jira.plugin.... ]
Brian Stansberry commented on WFLY-9597:
----------------------------------------
Part of the reason I filed WFCORE-3441 is I wanted consideration of this kind thing before people started just blindly moving to a Supplier in order to make a deprecation warn go away.
There are a number of intersecting factors to balance in all this.
1) If the parsers and marshallers are basically stateless objects, the class space for the Supplier is more than the cost of an object.
2) A PersistentResourceXMLParser implementation may or may not be stateless, depending on how it is coded. Some store the PersistentResourceXMLDescription in a static field (making the class itself somewhat heavy but an instance stateless), some in an instance field, and some calculate it on the fly.
3) For the current version of a parser, it's actually important to boot time that a PersistentResourceXMLDescription be created during Extension.initializeParsers and not deferred to when parsing happens. Extension.initializeParsers is done concurrently while parsing is single threaded, and creating the PersistentResourceXMLDescription ends up being the trigger that loads most of the extensions management model classes, creates AttributeDefinitions etc.
Likely the most efficient way to do this with a PersistentResourceXMLParser is:
{code}
class FooExtension implements Extension {
private volatile PersistentResourceXmlParser currentParserMarshaller;
private PersistentResourceXmlParser getCurrentParserMarshaller() {
PersistentResourceXmlParser result = currentParserMarshaller;
if (result == null) {
result = currentParserMarshaller = new FooParser3_0();
}
return result;
}
public void initializeParsers(ExtensionParsingContext context) {
.... register legacy parsers using the Supplier API
context.setSubsystemXmlMapping("foo", FOO_3_URI, getCurrentParserMarshaller());
}
public void initialize(ExtensionContext context) {
.... do the other stuff
subsystem.registerXMLElementWriter(getCurrentParserMarshaller());
}
}
{code}
That's kind of fussy code, but oh well.
> UndertowSubsystemParser_5_0 could be instantiated twice: once as a reader and once as a writer
> ----------------------------------------------------------------------------------------------
>
> Key: WFLY-9597
> URL: https://issues.jboss.org/browse/WFLY-9597
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Reporter: Radoslav Husar
> Assignee: Tomaz Cerar
>
> The org.wildfly.extension.undertow.UndertowSubsystemParser_5_0#xmlDescription could be created twice, the first and last line in the diff should return the same instance or use different approach: https://github.com/rhusar/wildfly/blob/7dbc8bd0c8bcdae5db61ecdff1484a422c...
> Most likely the same issue is in multiple places.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 1 month
[JBoss JIRA] (ELY-1300) Pem.parsePemX509Certificate() cannot parse files with non-PEM content
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-1300?page=com.atlassian.jira.plugin.s... ]
Jan Kalina reassigned ELY-1300:
-------------------------------
Assignee: Martin Mazanek (was: Jan Kalina)
> Pem.parsePemX509Certificate() cannot parse files with non-PEM content
> ---------------------------------------------------------------------
>
> Key: ELY-1300
> URL: https://issues.jboss.org/browse/ELY-1300
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Peter Palaga
> Assignee: Martin Mazanek
>
> Add a test like this to `PemTest`:
> {code}
> @Test
> public void testParsePemX509Certificate01() throws Exception {
> URL url = PemTest.class.getResource("/ca/certs/01.pem");
> byte[] bytes = Files.readAllBytes(Paths.get(url.toURI()));
> assertNotNull(Pem.parsePemX509Certificate(CodePointIterator.ofUtf8Bytes(bytes)));
> }
> {code}
> Note that {{ca/certs/01.pem}} should start with non-PEM content
> {code}
> Certificate:
> Data:
> ...
> {code}
> followed by the PEM content:
> {code}
> -----BEGIN CERTIFICATE-----
> {code}
> Run the test
> {code}
> mvn clean test -Dtest=PemTest#testParsePemX509Certificate01
> {code}
> Expected: Not quite sure if the parser should accept this. In any case, the following code works on Oracle/OpenJDK (while it does not on IBM JDK):
> {code}
> CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
> InputStream is = X509EvidenceVerificationSuiteChild.class.getResourceAsStream("/ca/certs/01.pem");
> Assert.assertNotNull((X509Certificate) certificateFactory.generateCertificate(is));
> {code}
> Actual:
> {code}
> testParsePemX509Certificate01(org.wildfly.security.util.PemTest) Time elapsed: 0.116 sec <<< ERROR!
> java.lang.IllegalArgumentException: ELY03010: Malformed PEM content at offset 1
> at org.wildfly.security.pem.Pem.parsePemContent(Pem.java:79)
> at org.wildfly.security.pem.Pem.parsePemX509Certificate(Pem.java:272)
> at org.wildfly.security.util.PemTest.testParsePemX509Certificate01(PemTest.java:57)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
> at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
> at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
> at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
> at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 1 month
[JBoss JIRA] (ELY-1300) Pem.parsePemX509Certificate() cannot parse files with non-PEM content
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-1300?page=com.atlassian.jira.plugin.s... ]
Jan Kalina commented on ELY-1300:
---------------------------------
[~dlofthouse] This could be good isolated starting point for new intern [~mmazanek] - he say he is be interested, would be ok to assing to him?
> Pem.parsePemX509Certificate() cannot parse files with non-PEM content
> ---------------------------------------------------------------------
>
> Key: ELY-1300
> URL: https://issues.jboss.org/browse/ELY-1300
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Peter Palaga
> Assignee: Jan Kalina
>
> Add a test like this to `PemTest`:
> {code}
> @Test
> public void testParsePemX509Certificate01() throws Exception {
> URL url = PemTest.class.getResource("/ca/certs/01.pem");
> byte[] bytes = Files.readAllBytes(Paths.get(url.toURI()));
> assertNotNull(Pem.parsePemX509Certificate(CodePointIterator.ofUtf8Bytes(bytes)));
> }
> {code}
> Note that {{ca/certs/01.pem}} should start with non-PEM content
> {code}
> Certificate:
> Data:
> ...
> {code}
> followed by the PEM content:
> {code}
> -----BEGIN CERTIFICATE-----
> {code}
> Run the test
> {code}
> mvn clean test -Dtest=PemTest#testParsePemX509Certificate01
> {code}
> Expected: Not quite sure if the parser should accept this. In any case, the following code works on Oracle/OpenJDK (while it does not on IBM JDK):
> {code}
> CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
> InputStream is = X509EvidenceVerificationSuiteChild.class.getResourceAsStream("/ca/certs/01.pem");
> Assert.assertNotNull((X509Certificate) certificateFactory.generateCertificate(is));
> {code}
> Actual:
> {code}
> testParsePemX509Certificate01(org.wildfly.security.util.PemTest) Time elapsed: 0.116 sec <<< ERROR!
> java.lang.IllegalArgumentException: ELY03010: Malformed PEM content at offset 1
> at org.wildfly.security.pem.Pem.parsePemContent(Pem.java:79)
> at org.wildfly.security.pem.Pem.parsePemX509Certificate(Pem.java:272)
> at org.wildfly.security.util.PemTest.testParsePemX509Certificate01(PemTest.java:57)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
> at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
> at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
> at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
> at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 1 month
[JBoss JIRA] (JGRP-2239) AUTH + ASYM_ENCRYPT causes problem with re-joining cluster (MERGE)
by Bela Ban (JIRA)
[ https://issues.jboss.org/browse/JGRP-2239?page=com.atlassian.jira.plugin.... ]
Bela Ban updated JGRP-2239:
---------------------------
Fix Version/s: 4.0.10
(was: 4.0.9)
> AUTH + ASYM_ENCRYPT causes problem with re-joining cluster (MERGE)
> ------------------------------------------------------------------
>
> Key: JGRP-2239
> URL: https://issues.jboss.org/browse/JGRP-2239
> Project: JGroups
> Issue Type: Bug
> Affects Versions: 4.0.6
> Environment: Infinispan 9.1.1 + JGroups 4.0.6.Final + Vert.x 3.5.0
> Reporter: Boris Sh
> Assignee: Bela Ban
> Fix For: 4.0.10
>
>
> Hello,
> I am using the following configuration:
> {code:java}
> <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns="urn:org:jgroups" xsi:schemaLocation="urn:org:jgroups http://www.jgroups.org/schema/jgroups.xsd">
> <UDP />
> <PING />
> <MERGE3 />
> <FD />
> <VERIFY_SUSPECT />
> <ASYM_ENCRYPT encrypt_entire_message="true" sym_keylength="128"
> sym_algorithm="AES/ECB/PKCS5Padding" asym_keylength="2048"
> asym_algorithm="RSA" />
> <pbcast.NAKACK2 />
> <UNICAST3 />
> <pbcast.STABLE />
> <FRAG2 />
> <AUTH auth_class="org.jgroups.auth.X509Token" auth_value="auth"
> keystore_path="keystore.jks" keystore_password="pwd" cert_alias="alias"
> cipher_type="RSA" />
> <pbcast.GMS />
> </config>
> {code}
> I have 7 services, but will try to show logs for 2 ones, coordinator and some random node, and all the other nodes behave similarly.
> Initially, when these nodes join the cluster, everything is fine.
> The server is a shared machine with slow CPU and also slow HDD, so sometimes, when other applications are busy with their tasks, whole my cluster can get frozen for 3-5 minutes. During/in the end of this freeze, some service may tell me the following (in logs):
> {code:java}
> org.jgroups.protocols.FD up
> WARNING: node-26978: I was suspected by node-27291; ignoring the SUSPECT message and sending back a HEARTBEAT_ACK
> WARNING: node-26978: unrecognized cipher; discarding message from node-27291
> org.jgroups.protocols.Encrypt handleEncryptedMessage
> WARNING: node-26978: unrecognized cipher; discarding message from node-27291
> org.jgroups.protocols.Encrypt handleEncryptedMessage
> WARNING: node-26978: unrecognized cipher; discarding message from node-36734
> org.jgroups.protocols.Encrypt handleEncryptedMessage
> {code}
> so the node was kicked out from the cluster, as it became "suspect", but the node doesn't agree with that fact. Cluster coordinator has already changed sym private key, so in the further logs of this server I see "unrecognized cipher".
> In cluster coordinator logs I see the following:
> {code:java}
> INFO: ISPN100000: Node node-26978 joined the cluster
> ****
> WARN: node-27291: unrecognized cipher; discarding message from node-26978
> org.jgroups.logging.Slf4jLogImpl error
> ERROR: key requester node-26978 is not in current view [***]; ignoring key request
> org.jgroups.logging.Slf4jLogImpl warn
> WARN: node-27291: unrecognized cipher; discarding message from node-26978
> INFO: ISPN000093: Received new, MERGED cluster view for channel ISPN: MergeView::[node-26978|8] (7) [node-26978, node-12721, node-17625, node-45936, node-56674, node-36734, node-27291], 2 subgroups: [node-27291|7] (6) [node-27291, node-12721, node-17625, node-45936, node-56674, node-36734], [node-27291|6] (7) [node-27291, node-26978, node-12721, node-17625, node-45936, node-56674, node-36734]
> {code}
> My understanding of what has happened:
> For example I have 3 nodes {A, B, C} in the cluster. The cluster gets frozen for some minutes, so node {C} becomes suspected, and kicked out from the cluster by coordinator. For some reason {C} ignores that fact. Later, after cluster is up again, it becomes ignoring messages from {C}, because it is using ASYM encryption and private key has been re-generated by coordinator. Also, for some reason MERGE operation doesn't work, and {C} can not join back to cluster, and now cluster has 2 subgroups, that don't communicate to each other, and I don't fully understand why this happens.
> How I temporary resolved this issue: changed ASYM_ENCRYPT to SYM_ENCRYPT, and now any node can come back to the cluster successfully after freeze, as the key doesn't change.
> Also, I didn't test, but think change_key_on_leave="false" will help, but this is not the way I want to use.
> So looks like this a problem with AUTH + ASYM_ENCRYPT protocol combination, when node in some cases can not rejoin the cluster.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 1 month