[jboss-jira] [JBoss JIRA] (ELY-1663) BC FIPS, Management Interface, ELY04001: No algorithm found matching TLS/SSL protocol selection criteria

Farah Juma (Jira) issues at jboss.org
Tue Nov 6 17:44:00 EST 2018 

    [ https://issues.jboss.org/browse/ELY-1663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13657520#comment-13657520 ] 

Farah Juma commented on ELY-1663:
---------------------------------

The problem is that in {{SSLUtils.createSslContextFactory}}, the {{preferredProviderByAlgorithm}} map is being created with separate "TLSv1.2" and "TLSV1.2" keys. Then when {{protocolSelector.evaluate(preferredProviderByAlgorithm.keySet().toArray(NO_STRINGS))}} is called, the supported list of protocol names ends up containing only one of "TLSv1.2" and "TLSV1.2" (depending on which of these is processed last). I've created the following PR to fix this:

https://github.com/wildfly-security/wildfly-elytron/pull/1213

[~mchoma] are you able to try out the above fix?

> BC FIPS, Management Interface, ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
> --------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-1663
>                 URL: https://issues.jboss.org/browse/ELY-1663
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.6.0.Final
>            Reporter: Martin Choma
>            Assignee: Farah Juma
>            Priority: Blocker
>
> Rarely 1:30 it happens there occures error accessing http management interface secured with TLS with BC FIPS
> {code}
> Operation {"operation" => "add","address" => [("subsystem" => "elytron"),("server-ssl-context" => "test-server-ssl-context")],"key-manager" => "key-manager-name_test-server-ssl-context","cipher-suite-filter" => "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256","trust-manager" => "trust-manager-name_test-server-ssl-context","protocols" => ["TLSv1.2"],"need-client-auth" => true} failed: {"outcome" => "failed","failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
>     Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}},"rolled-back" => true}
> ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
> 	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:982)
> 	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
> 	at org.wildfly.security.ssl.SSLUtils.lambda$createSslContextFactory$1(SSLUtils.java:130)
> 	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
> 	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> 	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:980)
> 	... 9 more
> {code}
> Some facts
> * It happens only on management interface BC FIPS TLS tests
> * It does not occur on Undertow secured with BC FIPS
> * Previously there was issue with similar error but that happened everywhere https://issues.jboss.org/browse/ELY-1618 



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list