[jboss-jira] [JBoss JIRA] (WFCORE-3002) (Elytron) ModelControllerClient connecting to management native-interface is not able to force SSL/TLS

(Elytron) ModelControllerClient connecting to management native-interface is not able to force SSL/TLS ------------------------------------------------------------------------------------------------------ Key: WFCORE-3002 URL: https://issues.jboss.org/browse/WFCORE-3002 Project: WildFly Core Issue Type: Feature Request Components: Management, Security Reporter: Josef Cacek Priority: Major The ModelControllerClient is not able to force using SSL/TLS connection with management native interface. *Usecase:* As an administrator I want to be sure that a ModelControllerClient connection to management native-interface goes through a secure connection. (I.e. Client connection is only established when the server uses SSL/TLS). Setting a blocker priority, as this can lead to security leaks, when a client assumes the secure management connection is used and the opposite is true and such a connection can be easily eavesdropped. My first try was to use ModelControllerClient configuration to set SSL context: {code:java} new ModelControllerClientConfiguration.Builder().setSslContext(sslFactory.create()) .setProtocol("remote"); {code} Nevertheless such a configuration doesn't force using SSL and if the server doesn't have SSL context configured, then the created connection is a plain remoting one. Next try was to configure the SSL context in Elytron's {{AuthenticationContext}}: {code:java} AuthenticationContext.withSsl(MatchRule.ALL, sslContext) {code} The result was the same (i.e. plain connection was used). [~dlofthouse] commented on this on Hipchat: {quote} In terms of Elytron configuration generally the config provided is there so it can be used if it is needed rather than it forming some form of mandatory policy.  So in this case I would expect you would drive that more with the protocol you specify e.g. remote+tls or remote+https {quote} Based on the comment I've used "remote+tls" protocol on the client: {code:java} ModelControllerClientConfiguration.Builder().setProtocol("remote+tls") {code} but in this case the connection fails even if the server has the sslContext configured: {code:xml} <management-interfaces> <native-interface sasl-authentication-factory="test-sasl-authn-factory" ssl-context="elytron-ssl-context"> <socket-binding native="testbinding"/> </native-interface> ... </management-interfaces> {code} The failure: {noformat} java.io.IOException: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+tls://127.0.0.1:10567. The connection failed at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:149) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:75) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at ... [cropped] Caused by: java.net.ConnectException: WFLYPRT0053: Could not connect to remote+tls://127.0.0.1:10567. The connection failed at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:126) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.ProtocolConnectionManager$EstablishingConnection.connect(ProtocolConnectionManager.java:259) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.mgmt.ManagementClientChannelStrategy$Establishing.getChannel(ManagementClientChannelStrategy.java:162) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:146) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.controller.client.impl.RemotingModelControllerClient$1.getChannel(RemotingModelControllerClient.java:60) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] ... 144 more Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:156) [jsse.jar:1.8.0_131] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) [jsse.jar:1.8.0_131] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) [jsse.jar:1.8.0_131] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) [rt.jar:1.8.0_131] at org.wildfly.security.ssl.AbstractDelegatingSSLEngine.unwrap(AbstractDelegatingSSLEngine.java:56) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:126) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:123) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.remoting3.remote.MessageReader.getMessage(MessageReader.java:131) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting.handleEvent(ClientConnectionOpenListener.java:172) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting.handleEvent(ClientConnectionOpenListener.java:167) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.nio.NioHandle$1.run(NioHandle.java:50) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.xnio.nio.WorkerThread.run(WorkerThread.java:472) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at ...asynchronous invocation...(Unknown Source) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:545) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:509) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:497) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:194) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:118) [wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26] {noformat} Am I missing some piece of configuration here?