]
Martin Choma commented on ELY-627:
----------------------------------
Just to clarify. How will new values get into this list in future? I mean TLSv1.3 or DTLS.
Throught RFE? Is it enough one from OpenSSL / JSSE implementation will support it? Or both
have to be supported?
Elytron introduces SSL/TLS protocol constraints
-----------------------------------------------
Key: ELY-627
URL:
https://issues.jboss.org/browse/ELY-627
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Affects Versions: 1.1.0.Beta8
Reporter: Martin Choma
Assignee: Jan Kalina
Priority: Blocker
Fix For: 1.1.0.Beta12
{noformat}
"protocols" => {
"type" => LIST,
"description" => "The enabled
protocols.",
"expressions-allowed" => true,
"nillable" => false,
"allowed" => [
"SSLv2",
"SSLv3",
"TLSv1",
"TLSv1_1",
"TLSv1_2",
"TLSv1_3"
],
"value-type" => STRING,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" =>
"resource-services"
},
{noformat}
Why elytron on this place is going to validate user input and map standard java values
[1] into proprietary values?
Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore
types) it leaves up to user to set proper value.
IMO, with such mapping another place, where bugs can raise was introduced. EAP will be
here always one step back compared to java.
Note, IBM java already today defines little bit different protocols set [2]
I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I
couldn't find that place.
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardN...
[2]
http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.secu...