[jboss-jira] [JBoss JIRA] (WFLY-11669) iiop-openjdk ignores cipher-suite-filter with openssl provider

David Everly (Jira) issues at jboss.org
Mon Feb 4 15:39:02 EST 2019 

     [ https://issues.jboss.org/browse/WFLY-11669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Everly updated WFLY-11669:
--------------------------------
    Security:     (was: Security Issue)


> iiop-openjdk ignores cipher-suite-filter with openssl provider
> --------------------------------------------------------------
>
>                 Key: WFLY-11669
>                 URL: https://issues.jboss.org/browse/WFLY-11669
>             Project: WildFly
>          Issue Type: Bug
>          Components: IIOP
>    Affects Versions: 15.0.0.Final, 15.0.1.Final
>            Reporter: David Everly
>            Assignee: Tomasz Adamski
>            Priority: Major
>
> When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk:
> {noformat}
>                 <server-ssl-contexts>  
>                     <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/>  
>                 </server-ssl-contexts>  
>                 <client-ssl-contexts>  
>                     <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>  
>                 </client-ssl-contexts>  
>             </tls>  
>         </subsystem>  
>         <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">  
>             <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/>  
>             <initializers security="identity" transactions="spec"/>  
>             <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/>  
>             <interop iona="true"/>  
>         </subsystem>  
> {noformat}
> See also:
> * https://developer.jboss.org/message/987804#987804
> * https://github.com/mozilla/cipherscan.git



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list