]
James Perkins updated WFLY-12834:
---------------------------------
Fix Version/s: 19.1.0.Final
CVE-2019-14887 The 'enabled-protocols' value in legacy
security is not respected if OpenSSL security provider is in use
-----------------------------------------------------------------------------------------------------------------------
Key: WFLY-12834
URL:
https://issues.redhat.com/browse/WFLY-12834
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Kunjan Rathod
Assignee: Farah Juma
Priority: Major
Fix For: 19.1.0.Final, 20.0.0.Beta1
Security Issue
Do not make this issue public.
The 'enabled-protocols' attribute in legacy security seems not to be working if
'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS'
value is in use, it is working just fine, although not in case 'openssl.TLS'. See
more info in reproduction steps.
NOTE as described in WFCORE-4737 comment, this is a possible security issue as an
attacker can simply persuade server to communicate with him via lower TLS version than
which is specified in server configuration! This is currently also a reason why this is
marked as blocker now.