February 2019 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-11669) iiop-openjdk ignores cipher-suite-filter with openssl provider

by David Everly (Jira)

[ https://issues.jboss.org/browse/WFLY-11669?page=com.atlassian.jira.plugin... ] David Everly updated WFLY-11669: -------------------------------- Description: When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk (modified standalone-full.xml): {noformat} <server-ssl-contexts> <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/> </server-ssl-contexts> <client-ssl-contexts> <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/> </client-ssl-contexts> </tls> </subsystem> <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1"> <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/> <initializers security="identity" transactions="spec"/> <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/> <interop iona="true"/> </subsystem> {noformat} See also: * https://developer.jboss.org/message/987804#987804 * https://github.com/mozilla/cipherscan.git was: When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk: {noformat} <server-ssl-contexts> <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/> </server-ssl-contexts> <client-ssl-contexts> <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/> </client-ssl-contexts> </tls> </subsystem> <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1"> <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/> <initializers security="identity" transactions="spec"/> <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/> <interop iona="true"/> </subsystem> {noformat} See also: * https://developer.jboss.org/message/987804#987804 * https://github.com/mozilla/cipherscan.git > iiop-openjdk ignores cipher-suite-filter with openssl provider > -------------------------------------------------------------- > > Key: WFLY-11669 > URL: https://issues.jboss.org/browse/WFLY-11669 > Project: WildFly > Issue Type: Bug > Components: IIOP > Affects Versions: 15.0.0.Final, 15.0.1.Final > Reporter: David Everly > Assignee: Tomasz Adamski > Priority: Major > > When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk (modified standalone-full.xml): > {noformat} > <server-ssl-contexts> > <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/> > </server-ssl-contexts> > <client-ssl-contexts> > <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/> > </client-ssl-contexts> > </tls> > </subsystem> > <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1"> > <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/> > <initializers security="identity" transactions="spec"/> > <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/> > <interop iona="true"/> > </subsystem> > {noformat} > See also: > * https://developer.jboss.org/message/987804#987804 > * https://github.com/mozilla/cipherscan.git -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-11669) iiop-openjdk ignores cipher-suite-filter with openssl provider

by David Everly (Jira)

[ https://issues.jboss.org/browse/WFLY-11669?page=com.atlassian.jira.plugin... ] David Everly updated WFLY-11669: -------------------------------- Security: (was: Security Issue) > iiop-openjdk ignores cipher-suite-filter with openssl provider > -------------------------------------------------------------- > > Key: WFLY-11669 > URL: https://issues.jboss.org/browse/WFLY-11669 > Project: WildFly > Issue Type: Bug > Components: IIOP > Affects Versions: 15.0.0.Final, 15.0.1.Final > Reporter: David Everly > Assignee: Tomasz Adamski > Priority: Major > > When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk: > {noformat} > <server-ssl-contexts> > <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/> > </server-ssl-contexts> > <client-ssl-contexts> > <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/> > </client-ssl-contexts> > </tls> > </subsystem> > <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1"> > <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/> > <initializers security="identity" transactions="spec"/> > <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/> > <interop iona="true"/> > </subsystem> > {noformat} > See also: > * https://developer.jboss.org/message/987804#987804 > * https://github.com/mozilla/cipherscan.git -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-1440) FlexibleIdentityAssociation should runAs the known SecurityIdentity before associating itself.

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-1440?page=com.atlassian.jira.plugin.s... ] Farah Juma updated ELY-1440: ---------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > FlexibleIdentityAssociation should runAs the known SecurityIdentity before associating itself. > ---------------------------------------------------------------------------------------------- > > Key: ELY-1440 > URL: https://issues.jboss.org/browse/ELY-1440 > Project: WildFly Elytron > Issue Type: Enhancement > Components: API / SPI > Reporter: Darran Lofthouse > Priority: Major > Fix For: 1.8.0.CR3 > > > This API was introduced to cover the case where authentication happens late in a request, generally that is quite a rare event. > Even though the API may be popular it would likely happen once for a session and all future requests for that session the identity would be known in advance. > At the moment by not running as the existing identity we are loosing all automatic identity outflow opportunities as calls pass from the servlet container to the EJB container. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-1409) Update HTTP authentication mechanism API to support re-use of response handlers

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-1409?page=com.atlassian.jira.plugin.s... ] Farah Juma updated ELY-1409: ---------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > Update HTTP authentication mechanism API to support re-use of response handlers > ------------------------------------------------------------------------------- > > Key: ELY-1409 > URL: https://issues.jboss.org/browse/ELY-1409 > Project: WildFly Elytron > Issue Type: Task > Components: HTTP > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Major > Fix For: 1.8.0.CR3 > > > At the moment the response handler can only access the response, it can not access anything from the request unless created with access to the request. > Making the scopes available should allow for state to be transferred on the request scope. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-816) Support for masked passwords in client XML config

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-816?page=com.atlassian.jira.plugin.sy... ] Farah Juma updated ELY-816: --------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > Support for masked passwords in client XML config > ------------------------------------------------- > > Key: ELY-816 > URL: https://issues.jboss.org/browse/ELY-816 > Project: WildFly Elytron > Issue Type: Task > Reporter: David Lloyd > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 1.8.0.CR3 > > > We need a way to support masked passwords in the auth configuration file, either as: > * A dedicated masked-password-type XML type > * Adding necessary fields to hashed-password-type > * Adding a modular crypt format > Needs to be supported anywhere passwords are allowed. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-533) Deprecate all legacy code

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-533?page=com.atlassian.jira.plugin.sy... ] Farah Juma updated ELY-533: --------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > Deprecate all legacy code > ------------------------- > > Key: ELY-533 > URL: https://issues.jboss.org/browse/ELY-533 > Project: WildFly Elytron > Issue Type: Task > Components: API / SPI > Reporter: Darran Lofthouse > Priority: Critical > Fix For: 1.8.0.CR3 > > > In a few places we have legacy behaviour within the project to assist migration from previous JBoss / WildFly releases - this code should be flagged as deprecated to encourage minimal use. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-243) Ensure reference to repository is removed from pom

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-243?page=com.atlassian.jira.plugin.sy... ] Farah Juma updated ELY-243: --------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > Ensure reference to repository is removed from pom > -------------------------------------------------- > > Key: ELY-243 > URL: https://issues.jboss.org/browse/ELY-243 > Project: WildFly Elytron > Issue Type: Task > Components: Build > Reporter: Darran Lofthouse > Priority: Major > Fix For: 1.8.0.CR3 > > > We need to ensure the reference to the JBoss repo is removed from the pom and artefacts are available from Maven Central. > Also at this point probably good to put the steps in place for Elytron to also be available from Maven Central. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-1617) Support SSL Certificate revocation using OCSP

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-1617?page=com.atlassian.jira.plugin.s... ] Farah Juma updated ELY-1617: ---------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > Support SSL Certificate revocation using OCSP > --------------------------------------------- > > Key: ELY-1617 > URL: https://issues.jboss.org/browse/ELY-1617 > Project: WildFly Elytron > Issue Type: Task > Components: SSL > Affects Versions: 1.4.0.Final > Reporter: Jan Kalina > Assignee: Martin Mazanek > Priority: Critical > Fix For: 1.8.0.CR3 > > > - Provide undertow's client certificate revocation capability when undertow is used as a load balancer using OCSP. > (CRL capability is provided in the earlier release as part of Elytron SSL Consolidation effort that this JIRA is cloned from) -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-1525) When SSO is enabled, multipart form and form enconding stop working.

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-1525?page=com.atlassian.jira.plugin.s... ] Farah Juma updated ELY-1525: ---------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > When SSO is enabled, multipart form and form enconding stop working. > -------------------------------------------------------------------- > > Key: ELY-1525 > URL: https://issues.jboss.org/browse/ELY-1525 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.6.Final, 1.2.1.Final > Reporter: Estevão Freitas > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 1.8.0.CR3 > > > I developed a JSF application with "h:inputFile" component and it requires a form with " enctype="multipart/form-data" ". > I use this tutorial for SSO: https://docs.jboss.org/author/display/WFLY/Web+Single+Sign-On . > When I execute the last step: " /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=clear-text=secret}) ", all commandButtons stop working. > If I remove the "h:inputFile" component and " enctype="multipart/form-data" " from form all buttons works again, but all words with accents are corrupted. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-1519) Make restore of SecurityIdentity on replicated session configurable

by Farah Juma (Jira)

[ https://issues.jboss.org/browse/ELY-1519?page=com.atlassian.jira.plugin.s... ] Farah Juma updated ELY-1519: ---------------------------- Fix Version/s: 1.8.0.CR3 (was: 1.8.0.CR2) > Make restore of SecurityIdentity on replicated session configurable > ------------------------------------------------------------------- > > Key: ELY-1519 > URL: https://issues.jboss.org/browse/ELY-1519 > Project: WildFly Elytron > Issue Type: Bug > Components: Authentication Mechanisms > Affects Versions: 1.2.0.Final > Reporter: Martin Choma > Assignee: Ilia Vassilev > Priority: Major > Fix For: 1.8.0.CR3 > > > Currently in clustered environment Security Identity is restored during > * failover > * load balancer change node (not sticky behaviour) > * session passivation/activation > This is mainly expected and good. It ensures performance gain because no additional SPNEGO negotiation is performed. But it can make troubles for kerberos ticket propagation, as kerberos ticket can't be serialized and restored. > So idea is to have flag to turn this default behaviour off. When user authenticate to app1 on serverA and then wants to access app1 on serverB, SPNEGO authentication will be activated and kerberos ticket will be negotiated and will be available on serverB as well. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 11 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2019