[jboss-jira] [JBoss JIRA] (WFLY-7076) Elytron introduces SSL/TLS protocol constraints

Darran Lofthouse (JIRA) issues at jboss.org
Thu Sep 8 13:29:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-7076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13290803#comment-13290803 ] 

Darran Lofthouse commented on WFLY-7076:
----------------------------------------

[~honza889] The subsystem is using the underscore as I think we are currently using the enum for validation, we need to allow the standard names to use.  Also need to double check the level of validation we need, we can hard code a list of accepted Strings but need to see how that compares with our current filter.

> Elytron introduces SSL/TLS protocol constraints
> -----------------------------------------------
>
>                 Key: WFLY-7076
>                 URL: https://issues.jboss.org/browse/WFLY-7076
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>
> {noformat}
>                        "protocols" => {
>                             "type" => LIST,
>                             "description" => "The enabled protocols.",
>                             "expressions-allowed" => true,
>                             "nillable" => false,
>                             "allowed" => [
>                                 "SSLv2",
>                                 "SSLv3",
>                                 "TLSv1",
>                                 "TLSv1_1",
>                                 "TLSv1_2",
>                                 "TLSv1_3"
>                             ],
>                             "value-type" => STRING,
>                             "access-type" => "read-write",
>                             "storage" => "configuration",
>                             "restart-required" => "resource-services"
>                         },
> {noformat}
> Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
> Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
> IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java. 
> Note, IBM java already today defines little bit different protocols set [2]
> I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
> [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list