CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use ----------------------------------------------------------------------------------------------------------------------- Key: WFCORE-4737 URL: https://issues.redhat.com/browse/WFCORE-4737 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 10.0.0.Final Environment: {code} $ java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) $ openssl version OpenSSL 1.1.1d FIPS 10 Sep 2019 $ uname -r 5.3.6-200.fc30.x86_64 {code} Note, I can see same behaviour also with JDK-11: {code} $ java -version java version "11.0.1" 2018-10-16 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode) {code} Reporter: Jan Stourac Assignee: Farah Juma Priority: Major Fix For: 12.0.0.Beta1 The 'enabled-protocols' attribute in legacy security seems not to be working if 'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS' value is in use, it is working just fine, although not in case 'openssl.TLS'. See more info in reproduction steps.