[jboss-jira] [JBoss JIRA] (WFLY-7076) Elytron introduces SSL/TLS protocol constraints

Jan Kalina (JIRA) issues at jboss.org
Sat Sep 10 10:10:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-7076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13291510#comment-13291510 ] 

Jan Kalina edited comment on WFLY-7076 at 9/10/16 10:09 AM:
------------------------------------------------------------

bq. I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.

This is defined in *org.wildfly.security.ssl.Protocol* enum (wildfly-elytron)
Reason for restriction is using this enum in our *ProtocolSelector*.


was (Author: honza889):
bq. I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.

This is defined in *org.wildfly.security.ssl.Protocol* enum (wildfly-elytron)

> Elytron introduces SSL/TLS protocol constraints
> -----------------------------------------------
>
>                 Key: WFLY-7076
>                 URL: https://issues.jboss.org/browse/WFLY-7076
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>
> {noformat}
>                        "protocols" => {
>                             "type" => LIST,
>                             "description" => "The enabled protocols.",
>                             "expressions-allowed" => true,
>                             "nillable" => false,
>                             "allowed" => [
>                                 "SSLv2",
>                                 "SSLv3",
>                                 "TLSv1",
>                                 "TLSv1_1",
>                                 "TLSv1_2",
>                                 "TLSv1_3"
>                             ],
>                             "value-type" => STRING,
>                             "access-type" => "read-write",
>                             "storage" => "configuration",
>                             "restart-required" => "resource-services"
>                         },
> {noformat}
> Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
> Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
> IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java. 
> Note, IBM java already today defines little bit different protocols set [2]
> I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
> [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list