[jboss-jira] [JBoss JIRA] (WFLY-7076) Elytron introduces SSL/TLS protocol constraints

Martin Choma (JIRA) issues at jboss.org
Thu Sep 8 12:10:01 EDT 2016 

     [ https://issues.jboss.org/browse/WFLY-7076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Choma moved JBEAP-5932 to WFLY-7076:
-------------------------------------------

              Project: WildFly  (was: JBoss Enterprise Application Platform)
                  Key: WFLY-7076  (was: JBEAP-5932)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Security
                           (was: Security)
    Affects Version/s: 11.0.0.Alpha1
                           (was: 7.1.0.DR4)


> Elytron introduces SSL/TLS protocol constraints
> -----------------------------------------------
>
>                 Key: WFLY-7076
>                 URL: https://issues.jboss.org/browse/WFLY-7076
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>
> {noformat}
>                        "protocols" => {
>                             "type" => LIST,
>                             "description" => "The enabled protocols.",
>                             "expressions-allowed" => true,
>                             "nillable" => false,
>                             "allowed" => [
>                                 "SSLv2",
>                                 "SSLv3",
>                                 "TLSv1",
>                                 "TLSv1_1",
>                                 "TLSv1_2",
>                                 "TLSv1_3"
>                             ],
>                             "value-type" => STRING,
>                             "access-type" => "read-write",
>                             "storage" => "configuration",
>                             "restart-required" => "resource-services"
>                         },
> {noformat}
> Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
> Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
> IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java. 
> Note, IBM java already today defines little bit different protocols set [2]
> I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
> [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list