]
Darran Lofthouse commented on WFCORE-3002:
------------------------------------------
[~fjuma] May be worth us thinking about this with other SSL/TLS changes? Should a client
be able to force the use of SSL/TLS?
(Elytron) ModelControllerClient connecting to management
native-interface is not able to force SSL/TLS
------------------------------------------------------------------------------------------------------
Key: WFCORE-3002
URL:
https://issues.jboss.org/browse/WFCORE-3002
Project: WildFly Core
Issue Type: Feature Request
Components: Management, Security
Reporter: Josef Cacek
Priority: Major
The ModelControllerClient is not able to force using SSL/TLS connection with management
native interface.
*Usecase:* As an administrator I want to be sure that a ModelControllerClient connection
to management native-interface goes through a secure connection. (I.e. Client connection
is only established when the server uses SSL/TLS).
Setting a blocker priority, as this can lead to security leaks, when a client assumes the
secure management connection is used and the opposite is true and such a connection can be
easily eavesdropped.
My first try was to use ModelControllerClient configuration to set SSL context:
{code:java}
new ModelControllerClientConfiguration.Builder().setSslContext(sslFactory.create())
.setProtocol("remote");
{code}
Nevertheless such a configuration doesn't force using SSL and if the server
doesn't have SSL context configured, then the created connection is a plain remoting
one.
Next try was to configure the SSL context in Elytron's {{AuthenticationContext}}:
{code:java}
AuthenticationContext.withSsl(MatchRule.ALL, sslContext)
{code}
The result was the same (i.e. plain connection was used). [~dlofthouse] commented on this
on Hipchat:
{quote}
In terms of Elytron configuration generally the config provided is there so it can be
used if it is needed rather than it forming some form of mandatory policy. So in this
case I would expect you would drive that more with the protocol you specify e.g.
remote+tls or remote+https
{quote}
Based on the comment I've used "remote+tls" protocol on the client:
{code:java}
ModelControllerClientConfiguration.Builder().setProtocol("remote+tls")
{code}
but in this case the connection fails even if the server has the sslContext configured:
{code:xml}
<management-interfaces>
<native-interface sasl-authentication-factory="test-sasl-authn-factory"
ssl-context="elytron-ssl-context">
<socket-binding native="testbinding"/>
</native-interface>
...
</management-interfaces>
{code}
The failure:
{noformat}
java.io.IOException: java.net.ConnectException: WFLYPRT0053: Could not connect to
remote+tls://127.0.0.1:10567. The connection failed
at
org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:149)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:75)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at ... [cropped]
Caused by: java.net.ConnectException: WFLYPRT0053: Could not connect to
remote+tls://127.0.0.1:10567. The connection failed
at
org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:126)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.ProtocolConnectionManager$EstablishingConnection.connect(ProtocolConnectionManager.java:259)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.ProtocolConnectionManager.connect(ProtocolConnectionManager.java:70)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.mgmt.ManagementClientChannelStrategy$Establishing.getChannel(ManagementClientChannelStrategy.java:162)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:146)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.controller.client.impl.RemotingModelControllerClient$1.getChannel(RemotingModelControllerClient.java:60)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
... 144 more
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:156)
[jsse.jar:1.8.0_131]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868)
[jsse.jar:1.8.0_131]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) [jsse.jar:1.8.0_131]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) [rt.jar:1.8.0_131]
at
org.wildfly.security.ssl.AbstractDelegatingSSLEngine.unwrap(AbstractDelegatingSSLEngine.java:56)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:126)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:123)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.jboss.remoting3.remote.MessageReader.getMessage(MessageReader.java:131)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting.handleEvent(ClientConnectionOpenListener.java:172)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting.handleEvent(ClientConnectionOpenListener.java:167)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.nio.NioHandle$1.run(NioHandle.java:50)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:545)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:509)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:497)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:194)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
at
org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:118)
[wildfly-cli-3.0.0.Beta26-client.jar:3.0.0.Beta26]
{noformat}
Am I missing some piece of configuration here?