July 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-3970) Reload Elytron ldap-key-store using JBoss CLI

by Farah Juma (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3970?page=com.atlassian.jira.plugi... ] Farah Juma commented on WFCORE-3970: ------------------------------------ Since an {{ldap-key-store}} already loads its entries in real-time, the focus of this task should actually be to add a management operation to allow an Elytron {{trust-manager}} to be re-initialized, similar to the {{key-manager}} {{init}} operation. I'm going to update the title of this issue to reflect this. > Reload Elytron ldap-key-store using JBoss CLI > --------------------------------------------- > > Key: WFCORE-3970 > URL: https://issues.jboss.org/browse/WFCORE-3970 > Project: WildFly Core > Issue Type: Feature Request > Components: Security > Reporter: Farah Juma > Assignee: Justin Cook > > It is not possible to reload the certificates dynamically for Elytron's *ldap-key-store*. > If some changes have been made in the certificates present in LDAP directory then EAP needs to be restarted first in order to see those changes done in LDAP directory which is not ideal for production environments. > For simple file based keystores, *load* operation is available : > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/key-store=twoWayKS:load() > ------------------------- > But this option is missing for *ldap-key-store* : > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/ldap-key-store=LKS1:load() > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0031: No operation named 'load' exists at address [ > (\"subsystem\" => \"elytron\"), > (\"ldap-key-store\" => \"LKS1\") > ]", > "rolled-back" => true > } > ------------------------- > There should be such option available to reload the content of ldap-key-store without restarting the EAP server. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3970) Add a management operation to allow an Elytron trust-manager to be re-initialized

by Farah Juma (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3970?page=com.atlassian.jira.plugi... ] Farah Juma updated WFCORE-3970: ------------------------------- Summary: Add a management operation to allow an Elytron trust-manager to be re-initialized (was: Reload Elytron ldap-key-store using JBoss CLI) > Add a management operation to allow an Elytron trust-manager to be re-initialized > --------------------------------------------------------------------------------- > > Key: WFCORE-3970 > URL: https://issues.jboss.org/browse/WFCORE-3970 > Project: WildFly Core > Issue Type: Feature Request > Components: Security > Reporter: Farah Juma > Assignee: Justin Cook > > It is not possible to reload the certificates dynamically for Elytron's *ldap-key-store*. > If some changes have been made in the certificates present in LDAP directory then EAP needs to be restarted first in order to see those changes done in LDAP directory which is not ideal for production environments. > For simple file based keystores, *load* operation is available : > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/key-store=twoWayKS:load() > ------------------------- > But this option is missing for *ldap-key-store* : > ------------------------- > [standalone@localhost:9990 /] /subsystem=elytron/ldap-key-store=LKS1:load() > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0031: No operation named 'load' exists at address [ > (\"subsystem\" => \"elytron\"), > (\"ldap-key-store\" => \"LKS1\") > ]", > "rolled-back" => true > } > ------------------------- > There should be such option available to reload the content of ldap-key-store without restarting the EAP server. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-10009) Introduce a maximum-timeout management model attribute

by James Perkins (JIRA)

[ https://issues.jboss.org/browse/WFLY-10009?page=com.atlassian.jira.plugin... ] James Perkins updated WFLY-10009: --------------------------------- Git Pull Request: https://github.com/wildfly/wildfly/pull/11440 > Introduce a maximum-timeout management model attribute > ------------------------------------------------------ > > Key: WFLY-10009 > URL: https://issues.jboss.org/browse/WFLY-10009 > Project: WildFly > Issue Type: Enhancement > Components: Transactions > Reporter: Amos Feng > Assignee: Amos Feng > > some resources may fail with a timeout value of Integer.MAX_VALUE for various reasons, so a lower "maximum" (such as one year) might be better. The purpose of the suggestion of the maximum timeout attribute would be to make this value configurable (also in the event where someone programmatically sets a timeout which might be problematic), -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (DROOLS-2805) Release notes for 7.9.0 Final are not linked correctly

by Daniele Zonca (JIRA)

[ https://issues.jboss.org/browse/DROOLS-2805?page=com.atlassian.jira.plugi... ] Daniele Zonca updated DROOLS-2805: ---------------------------------- Sprint: 2018 Week 30-32 > Release notes for 7.9.0 Final are not linked correctly > ------------------------------------------------------ > > Key: DROOLS-2805 > URL: https://issues.jboss.org/browse/DROOLS-2805 > Project: Drools > Issue Type: Bug > Components: docs > Reporter: Daniele Zonca > Assignee: Daniele Zonca > Labels: ScenarioSimulationTeam > -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (DROOLS-2805) Release notes for 7.9.0 Final are not linked correctly

by Daniele Zonca (JIRA)

Daniele Zonca created DROOLS-2805: ------------------------------------- Summary: Release notes for 7.9.0 Final are not linked correctly Key: DROOLS-2805 URL: https://issues.jboss.org/browse/DROOLS-2805 Project: Drools Issue Type: Bug Components: docs Reporter: Daniele Zonca Assignee: Daniele Zonca -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3981) Upgrade jboss-logging from 3.3.1.Final to 3.3.2.Final

by James Perkins (JIRA)

James Perkins created WFCORE-3981: ------------------------------------- Summary: Upgrade jboss-logging from 3.3.1.Final to 3.3.2.Final Key: WFCORE-3981 URL: https://issues.jboss.org/browse/WFCORE-3981 Project: WildFly Core Issue Type: Component Upgrade Components: Logging Reporter: James Perkins Assignee: James Perkins Version 3.3.2.Final was release which added support for the {{Automatic-Module-Name}} manifest entry. This should be integrated into WildFly. Diff: https://github.com/jboss-logging/jboss-logging/compare/3.3.1.Final...3.3.... -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-1618) TLS with BCJSSE Provider does not work

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/ELY-1618?page=com.atlassian.jira.plugin.s... ] Martin Choma updated ELY-1618: ------------------------------ Steps to Reproduce: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) * create BCFKS keystore ** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v * configure undertow with tls ** /subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference={clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks ** /subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password}, algorithm=X509) ** /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols=[TLSv1.2], need-client-auth=false) ** /subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context) was: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) * create BCFKS keystore ** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v * configure undertow with tls **/subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference={clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks **/subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password}, algorithm=X509) **/subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols=[TLSv1.2], need-client-auth=false) **/subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context) > TLS with BCJSSE Provider does not work > -------------------------------------- > > Key: ELY-1618 > URL: https://issues.jboss.org/browse/ELY-1618 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Affects Versions: 1.4.0.Final > Reporter: Martin Choma > Assignee: Farah Juma > Priority: Blocker > Attachments: standalone.v29.xml > > > When I configure BouncyCastleJsseProvider to by only possible provider providing TLS TLS does not work with exception > {code} > 14:07:53,905 TRACE [org.wildfly.security] (MSC service thread 1-4) No SSLContext provided by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8, ApacheXMLDSig version 2.11, SunJCE version 1.8, TLSP version 1.0, WildFlyElytron version 1.0] > 14:07:53,906 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926) > at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.security.ssl.SSLUtils.throwIt(SSLUtils.java:142) > at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340) > at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924) > ... 9 more > 14:07:53,910 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("server-ssl-context" => "test-server-ssl-context") > ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}} > {code} > After debugging it seems problem is this: > Supported protocols resolved from BCJSSE version 1.0005 are [TLS, TLSV1, TLSV1.2, DEFAULT, TLSV1.1] > Whereas Elytron class org.wildfly.security.ssl.Protocol use constants TLSv1, TLSv1.1, TLSv1.2, ... It means lower case "v" > And thus ProtocolSelector.evaluate does return empty set. > Possible solution to this particular problem will be make Protocol case insensitive. It means define enum constants in upper case and adjust methods to use .toUpperCase(). But I am probably not aware of all consequences of such change. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-1618) TLS with BCJSSE Provider does not work

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/ELY-1618?page=com.atlassian.jira.plugin.s... ] Martin Choma updated ELY-1618: ------------------------------ Steps to Reproduce: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) * create BCFKS keystore ** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v * create server ssl context ** /subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference={clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks ** /subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password}, algorithm=X509) ** /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols=[TLSv1.2], need-client-auth=false) ** /subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context) was: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) > TLS with BCJSSE Provider does not work > -------------------------------------- > > Key: ELY-1618 > URL: https://issues.jboss.org/browse/ELY-1618 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Affects Versions: 1.4.0.Final > Reporter: Martin Choma > Assignee: Farah Juma > Priority: Blocker > Attachments: standalone.v29.xml > > > When I configure BouncyCastleJsseProvider to by only possible provider providing TLS TLS does not work with exception > {code} > 14:07:53,905 TRACE [org.wildfly.security] (MSC service thread 1-4) No SSLContext provided by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8, ApacheXMLDSig version 2.11, SunJCE version 1.8, TLSP version 1.0, WildFlyElytron version 1.0] > 14:07:53,906 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926) > at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.security.ssl.SSLUtils.throwIt(SSLUtils.java:142) > at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340) > at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924) > ... 9 more > 14:07:53,910 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("server-ssl-context" => "test-server-ssl-context") > ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}} > {code} > After debugging it seems problem is this: > Supported protocols resolved from BCJSSE version 1.0005 are [TLS, TLSV1, TLSV1.2, DEFAULT, TLSV1.1] > Whereas Elytron class org.wildfly.security.ssl.Protocol use constants TLSv1, TLSv1.1, TLSv1.2, ... It means lower case "v" > And thus ProtocolSelector.evaluate does return empty set. > Possible solution to this particular problem will be make Protocol case insensitive. It means define enum constants in upper case and adjust methods to use .toUpperCase(). But I am probably not aware of all consequences of such change. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-1618) TLS with BCJSSE Provider does not work

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/ELY-1618?page=com.atlassian.jira.plugin.s... ] Martin Choma updated ELY-1618: ------------------------------ Steps to Reproduce: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) * create BCFKS keystore ** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v * configure undertow with tls **/subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference={clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks **/subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password}, algorithm=X509) **/subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols=[TLSv1.2], need-client-auth=false) **/subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context) was: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) * create BCFKS keystore ** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v * create server ssl context ** /subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference={clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks ** /subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password}, algorithm=X509) ** /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols=[TLSv1.2], need-client-auth=false) ** /subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context) > TLS with BCJSSE Provider does not work > -------------------------------------- > > Key: ELY-1618 > URL: https://issues.jboss.org/browse/ELY-1618 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Affects Versions: 1.4.0.Final > Reporter: Martin Choma > Assignee: Farah Juma > Priority: Blocker > Attachments: standalone.v29.xml > > > When I configure BouncyCastleJsseProvider to by only possible provider providing TLS TLS does not work with exception > {code} > 14:07:53,905 TRACE [org.wildfly.security] (MSC service thread 1-4) No SSLContext provided by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8, ApacheXMLDSig version 2.11, SunJCE version 1.8, TLSP version 1.0, WildFlyElytron version 1.0] > 14:07:53,906 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926) > at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.security.ssl.SSLUtils.throwIt(SSLUtils.java:142) > at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340) > at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924) > ... 9 more > 14:07:53,910 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("server-ssl-context" => "test-server-ssl-context") > ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}} > {code} > After debugging it seems problem is this: > Supported protocols resolved from BCJSSE version 1.0005 are [TLS, TLSV1, TLSV1.2, DEFAULT, TLSV1.1] > Whereas Elytron class org.wildfly.security.ssl.Protocol use constants TLSv1, TLSv1.1, TLSv1.2, ... It means lower case "v" > And thus ProtocolSelector.evaluate does return empty set. > Possible solution to this particular problem will be make Protocol case insensitive. It means define enum constants in upper case and adjust methods to use .toUpperCase(). But I am probably not aware of all consequences of such change. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-1618) TLS with BCJSSE Provider does not work

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/ELY-1618?page=com.atlassian.jira.plugin.s... ] Martin Choma updated ELY-1618: ------------------------------ Steps to Reproduce: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security {code} security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun {code} * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) was: * drop two bc fips jars into java.home/jre/lib/ext ** bc-fips-1.0.1.jar ** bctls-fips-1.0.5.jar * install bc fips in java.security security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun * remove openssl provider from standalone.xml ** /subsystem=elytron:write-attribute(name=final-providers,value=elytron) > TLS with BCJSSE Provider does not work > -------------------------------------- > > Key: ELY-1618 > URL: https://issues.jboss.org/browse/ELY-1618 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Affects Versions: 1.4.0.Final > Reporter: Martin Choma > Assignee: Farah Juma > Priority: Blocker > Attachments: standalone.v29.xml > > > When I configure BouncyCastleJsseProvider to by only possible provider providing TLS TLS does not work with exception > {code} > 14:07:53,905 TRACE [org.wildfly.security] (MSC service thread 1-4) No SSLContext provided by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8, ApacheXMLDSig version 2.11, SunJCE version 1.8, TLSP version 1.0, WildFlyElytron version 1.0] > 14:07:53,906 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926) > at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.security.ssl.SSLUtils.throwIt(SSLUtils.java:142) > at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340) > at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924) > ... 9 more > 14:07:53,910 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("server-ssl-context" => "test-server-ssl-context") > ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}} > {code} > After debugging it seems problem is this: > Supported protocols resolved from BCJSSE version 1.0005 are [TLS, TLSV1, TLSV1.2, DEFAULT, TLSV1.1] > Whereas Elytron class org.wildfly.security.ssl.Protocol use constants TLSv1, TLSv1.1, TLSv1.2, ... It means lower case "v" > And thus ProtocolSelector.evaluate does return empty set. > Possible solution to this particular problem will be make Protocol case insensitive. It means define enum constants in upper case and adjust methods to use .toUpperCase(). But I am probably not aware of all consequences of such change. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2018