[
https://issues.redhat.com/browse/WFLY-13916?page=com.atlassian.jira.plugi...
]
Sonia Zaldana updated WFLY-13916:
---------------------------------
Description:
When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the
following exception is logged:
{code:java}
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled{code}
As I understand, SSLv2Hello is used in older JDK versions for the initial handshake
message where the SSL version that will be used for the rest of the handshake is
negotiated.
It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to
not being a valid value:
{code:java}
[standalone@localhost:9990 /]
/subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols,
value=SSLv2Hello, index=0)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for
protocols; legal values are [\"SSLv2\", \"SSLv3\",
\"TLSv1\", \"TLSv1.1\", \"TLSv1.2\",
\"TLSv1.3\"]",
"rolled-back" => true
}{code}
According to the undertow read-resource-description below, when server-ssl-context is
configured in the Elytron subsystem, protocols must be defined in the server-ssl-context
and not in the https connector in Undertow ("Where an SSLContext is references it
should be configured with the supported protocols."):
{code:java}
/subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)...
"enabled-protocols" => {
"type" => STRING,
"description" => "Configures SSL protocols",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"alternatives" => ["ssl-context"],
"min-length" => 1L,
"max-length" => 2147483647L,
"deprecated" => {
"since" => "4.0.0",
"reason" => "Where an SSLContext is references it
should be configured with the supported protocols."
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
...{code}
It is possible to add SSLv2Hello to the https connector in Undertow with legacy security
as per.
was:
SSLv2Hello is used in older JDK versions for the initial handshake message where the SSL
version that will be used for the rest of the handshake is negotiated.
It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to
not being a valid value:
{code:java}
[standalone@localhost:9990 /]
/subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols,
value=SSLv2Hello, index=0)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for
protocols; legal values are [\"SSLv2\", \"SSLv3\",
\"TLSv1\", \"TLSv1.1\", \"TLSv1.2\",
\"TLSv1.3\"]",
"rolled-back" => true
}{code}
It is possible to add SSLv2Hello to the https connector in Undertow with legacy security
as per.
Elytron server-ssl-context allowed protocols
--------------------------------------------
Key: WFLY-13916
URL:
https://issues.redhat.com/browse/WFLY-13916
Project: WildFly
Issue Type: Feature Request
Reporter: Sonia Zaldana
Assignee: Sonia Zaldana
Priority: Major
When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the
following exception is logged:
{code:java}
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled{code}
As I understand, SSLv2Hello is used in older JDK versions for the initial handshake
message where the SSL version that will be used for the rest of the handshake is
negotiated.
It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due
to not being a valid value:
{code:java}
[standalone@localhost:9990 /]
/subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols,
value=SSLv2Hello, index=0)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for
protocols; legal values are [\"SSLv2\", \"SSLv3\",
\"TLSv1\", \"TLSv1.1\", \"TLSv1.2\",
\"TLSv1.3\"]",
"rolled-back" => true
}{code}
According to the undertow read-resource-description below, when server-ssl-context is
configured in the Elytron subsystem, protocols must be defined in the server-ssl-context
and not in the https connector in Undertow ("Where an SSLContext is references it
should be configured with the supported protocols."):
{code:java}
/subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)...
"enabled-protocols" => {
"type" => STRING,
"description" => "Configures SSL protocols",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"alternatives" => ["ssl-context"],
"min-length" => 1L,
"max-length" => 2147483647L,
"deprecated" => {
"since" => "4.0.0",
"reason" => "Where an SSLContext is references it
should be configured with the supported protocols."
},
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
...{code}
It is possible to add SSLv2Hello to the https connector in Undertow with legacy security
as per.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)