[jboss-jira] [JBoss JIRA] (ELY-627) Elytron introduces SSL/TLS protocol constraints

Martin Choma (JIRA) issues at jboss.org
Wed Nov 16 04:13:00 EST 2016 

    [ https://issues.jboss.org/browse/ELY-627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13323436#comment-13323436 ] 

Martin Choma commented on ELY-627:
----------------------------------

Just to clarify. How will new values get into this list in future? I mean TLSv1.3 or DTLS. Throught RFE? Is it enough one from OpenSSL / JSSE implementation will support it? Or both have to be supported?

> Elytron introduces SSL/TLS protocol constraints
> -----------------------------------------------
>
>                 Key: ELY-627
>                 URL: https://issues.jboss.org/browse/ELY-627
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.1.0.Beta8
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>            Priority: Blocker
>             Fix For: 1.1.0.Beta12
>
>
> {noformat}
>                        "protocols" => {
>                             "type" => LIST,
>                             "description" => "The enabled protocols.",
>                             "expressions-allowed" => true,
>                             "nillable" => false,
>                             "allowed" => [
>                                 "SSLv2",
>                                 "SSLv3",
>                                 "TLSv1",
>                                 "TLSv1_1",
>                                 "TLSv1_2",
>                                 "TLSv1_3"
>                             ],
>                             "value-type" => STRING,
>                             "access-type" => "read-write",
>                             "storage" => "configuration",
>                             "restart-required" => "resource-services"
>                         },
> {noformat}
> Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
> Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
> IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java. 
> Note, IBM java already today defines little bit different protocols set [2]
> I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
> [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list