[JBoss JIRA] (WFCORE-5145) Elytron server-ssl-context allowed protocols

Tuesday, 29 September 2020

     [
https://issues.redhat.com/browse/WFCORE-5145?page=com.atlassian.jira.plug...
]

Sonia Zaldana updated WFCORE-5145:
----------------------------------
    Description: 
When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the
following exception is logged:
{code:java}

javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled{code}
As I understand, SSLv2Hello is used in older JDK versions for the initial handshake
message where the SSL version that will be used for the rest of the handshake is
negotiated.

It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to
not being a valid value:
{code:java}
 [standalone@localhost:9990 /]
/subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols,
value=SSLv2Hello, index=0)
{
 "outcome" => "failed",
 "failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for
protocols; legal values are [\"SSLv2\", \"SSLv3\",
\"TLSv1\", \"TLSv1.1\", \"TLSv1.2\",
\"TLSv1.3\"]",
 "rolled-back" => true
}{code}
According to the undertow read-resource-description below, when server-ssl-context is 
configured in the Elytron subsystem, protocols must be defined in the server-ssl-context
and not in the https connector in Undertow ("Where an SSLContext is references it
should be configured with the supported protocols."):
{code:java}

/subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)...
"enabled-protocols" => {
                "type" => STRING,
                "description" => "Configures SSL protocols",
                "expressions-allowed" => true,
                "required" => false,
                "nillable" => true,
                "alternatives" => ["ssl-context"],
                "min-length" => 1L,
                "max-length" => 2147483647L,
                "deprecated" => {
                    "since" => "4.0.0",
                    "reason" => "Where an SSLContext is references it
should be configured with the supported protocols."
                },
                "access-type" => "read-write",
                "storage" => "configuration",
                "restart-required" => "all-services"
            },
...{code}
It is possible to add SSLv2Hello to the https connector in Undertow with legacy security
as per.

  was:
 SSLv2Hello is used in older JDK versions for the initial handshake message where the SSL
version that will be used for the rest of the handshake is negotiated.

It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to
not being a valid value:
{code:java}
 [standalone@localhost:9990 /]
/subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols,
value=SSLv2Hello, index=0)
{
 "outcome" => "failed",
 "failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for
protocols; legal values are [\"SSLv2\", \"SSLv3\",
\"TLSv1\", \"TLSv1.1\", \"TLSv1.2\",
\"TLSv1.3\"]",
 "rolled-back" => true
}{code}

It is possible to add SSLv2Hello to the https connector in Undertow with legacy security
as per.

...
 Elytron server-ssl-context allowed protocols
 --------------------------------------------

                 Key: WFCORE-5145
                 URL: https://issues.redhat.com/browse/WFCORE-5145
             Project: WildFly Core
          Issue Type: Feature Request
            Reporter: Sonia Zaldana
            Assignee: Sonia Zaldana
            Priority: Major

 When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the
following exception is logged:
 {code:java}

 javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled{code}
 As I understand, SSLv2Hello is used in older JDK versions for the initial handshake
message where the SSL version that will be used for the rest of the handshake is
negotiated.
 It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due
to not being a valid value:
 {code:java}
  [standalone@localhost:9990 /]
/subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols,
value=SSLv2Hello, index=0)
 {
  "outcome" => "failed",
  "failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for
protocols; legal values are [\"SSLv2\", \"SSLv3\",
\"TLSv1\", \"TLSv1.1\", \"TLSv1.2\",
\"TLSv1.3\"]",
  "rolled-back" => true
 }{code}
 According to the undertow read-resource-description below, when server-ssl-context is 
configured in the Elytron subsystem, protocols must be defined in the server-ssl-context
and not in the https connector in Undertow ("Where an SSLContext is references it
should be configured with the supported protocols."):
 {code:java}

/subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)...
 "enabled-protocols" => {
                 "type" => STRING,
                 "description" => "Configures SSL protocols",
                 "expressions-allowed" => true,
                 "required" => false,
                 "nillable" => true,
                 "alternatives" => ["ssl-context"],
                 "min-length" => 1L,
                 "max-length" => 2147483647L,
                 "deprecated" => {
                     "since" => "4.0.0",
                     "reason" => "Where an SSLContext is references it
should be configured with the supported protocols."
                 },
                 "access-type" => "read-write",
                 "storage" => "configuration",
                 "restart-required" => "all-services"
             },
 ...{code}
 It is possible to add SSLv2Hello to the https connector in Undertow with legacy security
as per. 

--
This message was sent by Atlassian Jira
(v7.13.8#713008)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006