[jboss-jira] [JBoss JIRA] (ELY-627) Elytron introduces SSL/TLS protocol constraints

Jan Kalina (JIRA) issues at jboss.org
Thu Sep 15 07:51:00 EDT 2016 

    [ https://issues.jboss.org/browse/ELY-627?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13293847#comment-13293847 ] 

Jan Kalina edited comment on ELY-627 at 9/15/16 7:50 AM:
---------------------------------------------------------

*ProtocolSelector* and *CipherSuiteSelector* are very similar. Difference between them:

* ProtocolSelector use hardcoded list of protocols
* CipherSuiteSelector obtain list of selectable ciphers from special object - MechanismDatabase

What exactly do you mean by "similar pattern"? Special object managing list of usable protocols?


was (Author: honza889):
*ProtocolSelector* and *CipherSuiteSelector* are very similar. Difference between current *ProtocolSelector* and *CipherSuiteSelector*:

* ProtocolSelector use hardcoded list of protocols
* CipherSuiteSelector obtain list of selectable ciphers from special object - MechanismDatabase

What exactly do you mean by "similar pattern"? Special object managing list of usable protocols?

> Elytron introduces SSL/TLS protocol constraints
> -----------------------------------------------
>
>                 Key: ELY-627
>                 URL: https://issues.jboss.org/browse/ELY-627
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.1.0.Beta8
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>            Priority: Critical
>
> {noformat}
>                        "protocols" => {
>                             "type" => LIST,
>                             "description" => "The enabled protocols.",
>                             "expressions-allowed" => true,
>                             "nillable" => false,
>                             "allowed" => [
>                                 "SSLv2",
>                                 "SSLv3",
>                                 "TLSv1",
>                                 "TLSv1_1",
>                                 "TLSv1_2",
>                                 "TLSv1_3"
>                             ],
>                             "value-type" => STRING,
>                             "access-type" => "read-write",
>                             "storage" => "configuration",
>                             "restart-required" => "resource-services"
>                         },
> {noformat}
> Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
> Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
> IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java. 
> Note, IBM java already today defines little bit different protocols set [2]
> I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.
> [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
> [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list