[jboss-jira] [JBoss JIRA] (WFCORE-3448) Unable to set multiple ssl protocols and ciphers on security-realms using system properties
Derek Horton (JIRA)
issues at jboss.org
Tue Dec 5 14:57:00 EST 2017
[ https://issues.jboss.org/browse/WFCORE-3448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Derek Horton updated WFCORE-3448:
---------------------------------
Git Pull Request: https://github.com/wildfly/wildfly-core/pull/2972
Steps to Reproduce:
- add a security-realm that has ssl enabled
<security-realm name="CertificateRealm">
<server-identities>
<ssl>
<engine enabled-cipher-suites="${tlscipher}" enabled-protocols="${tlsversion}"/>
<keystore path="/home/dehort/dev/java/jboss-eap-6.4.17/domain/configuration/server.keystore" keystore-password="123456" alias="serverkeys"/>
</ssl>
</server-identities>
</security-realm>
- start JBoss with the required system properties (must use multiple values to reproduce the issue)
./bin/standalone.sh -Dtlscipher="TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" -Dtlsversion="TLSv1.1 TLSv1.2"
was:
- add a security-realm that has ssl enabled
<security-realm name="CertificateRealm">
<server-identities>
<ssl>
<engine enabled-cipher-suites="${tlscipher}" enabled-protocols="${tlsversion}"/>
<keystore path="/home/dehort/dev/java/jboss-eap-6.4.17/domain/configuration/server.keystore" keystore-password="123456" alias="serverkeys"/>
</ssl>
</server-identities>
</security-realm>
- start JBoss with the required system properties (must use multiple values to reproduce the issue)
./bin/standalone.sh -Dtlscipher="TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" -Dtlsversion="TLSv1.1 TLSv1.2"
> Unable to set multiple ssl protocols and ciphers on security-realms using system properties
> -------------------------------------------------------------------------------------------
>
> Key: WFCORE-3448
> URL: https://issues.jboss.org/browse/WFCORE-3448
> Project: WildFly Core
> Issue Type: Bug
> Components: Domain Management
> Reporter: Derek Horton
> Assignee: Brian Stansberry
>
> It is not possible to set the ssl protocol and ciphers on a security-realm using system property if multiple protocols and/or ciphers are needed.
> Setting the "enabled-cipher-suites" and "enabled-protocols" using a system property works if the system property value resolves to a single value ("TLSv1.2" for example).
> An error is thrown if the system property has multiple values (-Dtlsversion="TLSv1.1 TLSv1.2"). Here is the error that is generated:
> 13:20:43,315 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ManagementRealm.ssl-context: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ManagementRealm.ssl-context: WFLYDM0096: No protocols in common, supported=([SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]), requested=([TLSv1.1 TLSv1.2])
> at org.jboss.as.domain.management.security.SSLContextService.wrapSslContext(SSLContextService.java:137)
> at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:102)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list