CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use ----------------------------------------------------------------------------------------------------------------------- Key: WFLY-12834 URL: https://issues.redhat.com/browse/WFLY-12834 Project: WildFly Issue Type: Bug Components: Security Reporter: Kunjan Rathod Assignee: Farah Juma Priority: Major Fix For: 19.1.0.Final, 20.0.0.Beta1 Security Issue Do not make this issue public. The 'enabled-protocols' attribute in legacy security seems not to be working if 'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS' value is in use, it is working just fine, although not in case 'openssl.TLS'. See more info in reproduction steps. NOTE as described in WFCORE-4737 comment, this is a possible security issue as an attacker can simply persuade server to communicate with him via lower TLS version than which is specified in server configuration! This is currently also a reason why this is marked as blocker now.