10:50 a.m.
[
https://issues.jboss.org/browse/ELY-1618?page=com.atlassian.jira.plugin.s...
]
Martin Choma updated ELY-1618:
------------------------------
Steps to Reproduce:
* drop two bc fips jars into java.home/jre/lib/ext
** bc-fips-1.0.1.jar
** bctls-fips-1.0.5.jar
* install bc fips in java.security
{code}
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
{code}
* remove openssl provider from standalone.xml
** /subsystem=elytron:write-attribute(name=final-providers,value=elytron)
* create BCFKS keystore
** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass,
password, -keystore,
/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider,
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath,
/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar,
-storetype, BCFKS, -storepass, password, -dname,
CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v
* configure undertow with tls
**
/subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context,
type=BCFKS, credential-reference={clear-text => password},
path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks
**
/subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context,
credential-reference={clear-text => password}, algorithm=X509)
**
/subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context,
cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
protocols=[TLSv1.2], need-client-auth=false)
**
/subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context,
value=server-ssl-context)
was:
* drop two bc fips jars into java.home/jre/lib/ext
** bc-fips-1.0.1.jar
** bctls-fips-1.0.5.jar
* install bc fips in java.security
{code}
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
{code}
* remove openssl provider from standalone.xml
** /subsystem=elytron:write-attribute(name=final-providers,value=elytron)
* create BCFKS keystore
** keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass,
password, -keystore,
/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider,
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath,
/home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar,
-storetype, BCFKS, -storepass, password, -dname,
CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v
* configure undertow with tls
**/subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context,
type=BCFKS, credential-reference={clear-text => password},
path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks
**/subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context,
credential-reference={clear-text => password}, algorithm=X509)
**/subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context,
cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
protocols=[TLSv1.2], need-client-auth=false)
**/subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context,
value=server-ssl-context)
TLS with BCJSSE Provider does not work
--------------------------------------
Key: ELY-1618
URL: https://issues.jboss.org/browse/ELY-1618
Project: WildFly Elytron
Issue Type: Bug
Components: SSL
Affects Versions: 1.4.0.Final
Reporter: Martin Choma
Assignee: Farah Juma
Priority: Blocker
Attachments: standalone.v29.xml
When I configure BouncyCastleJsseProvider to by only possible provider providing TLS TLS
does not work with exception
{code}
14:07:53,905 TRACE [org.wildfly.security] (MSC service thread 1-4) No SSLContext provided
by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8,
ApacheXMLDSig version 2.11, SunJCE version 1.8, TLSP version 1.0, WildFlyElytron version
1.0]
14:07:53,906 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001:
Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context:
org.jboss.msc.service.StartException in service
org.wildfly.security.ssl-context.test-server-ssl-context:
java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL
protocol selection criteria
at
org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926)
at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching
TLS/SSL protocol selection criteria
at org.wildfly.security.ssl.SSLUtils.throwIt(SSLUtils.java:142)
at
org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
at
org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924)
... 9 more
14:07:53,910 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address:
([
("subsystem" => "elytron"),
("server-ssl-context" => "test-server-ssl-context")
]) - failure description: {"WFLYCTL0080: Failed services" =>
{"org.wildfly.security.ssl-context.test-server-ssl-context" =>
"java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching
TLS/SSL protocol selection criteria
Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found
matching TLS/SSL protocol selection criteria"}}
{code}
After debugging it seems problem is this:
Supported protocols resolved from BCJSSE version 1.0005 are [TLS, TLSV1, TLSV1.2,
DEFAULT, TLSV1.1]
Whereas Elytron class org.wildfly.security.ssl.Protocol use constants TLSv1, TLSv1.1,
TLSv1.2, ... It means lower case "v"
And thus ProtocolSelector.evaluate does return empty set.
Possible solution to this particular problem will be make Protocol case insensitive. It
means define enum constants in upper case and adjust methods to use .toUpperCase(). But I
am probably not aware of all consequences of such change.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
2721
days inactive
2721
days old
0 comments
1 participants
participants (1)
-
Martin Choma (JIRA)