[jboss-jira] [JBoss JIRA] (WFLY-11669) iiop-openjdk ignores cipher-suite-filter with openssl provider
David Everly (Jira)
issues at jboss.org
Wed Feb 6 08:16:01 EST 2019
[ https://issues.jboss.org/browse/WFLY-11669?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Everly updated WFLY-11669:
--------------------------------
Description:
When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk (modified standalone-full.xml):
{noformat}
<server-ssl-contexts>
<server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/>
</server-ssl-contexts>
<client-ssl-contexts>
<client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>
</client-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">
<orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/>
<initializers security="identity" transactions="spec"/>
<security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/>
<interop iona="true"/>
</subsystem>
{noformat}
See also:
* https://developer.jboss.org/message/987804#987804
* http://wildfly.org/news/2017/10/06/OpenSSL-Support-In-Wildfly/
* https://github.com/mozilla/cipherscan.git
was:
When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk (modified standalone-full.xml):
{noformat}
<server-ssl-contexts>
<server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/>
</server-ssl-contexts>
<client-ssl-contexts>
<client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>
</client-ssl-contexts>
</tls>
</subsystem>
<subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">
<orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/>
<initializers security="identity" transactions="spec"/>
<security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/>
<interop iona="true"/>
</subsystem>
{noformat}
See also:
* https://developer.jboss.org/message/987804#987804
* https://github.com/mozilla/cipherscan.git
> iiop-openjdk ignores cipher-suite-filter with openssl provider
> --------------------------------------------------------------
>
> Key: WFLY-11669
> URL: https://issues.jboss.org/browse/WFLY-11669
> Project: WildFly
> Issue Type: Bug
> Components: IIOP
> Affects Versions: 15.0.0.Final, 15.0.1.Final
> Reporter: David Everly
> Assignee: Tomasz Adamski
> Priority: Major
>
> When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk (modified standalone-full.xml):
> {noformat}
> <server-ssl-contexts>
> <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/>
> </server-ssl-contexts>
> <client-ssl-contexts>
> <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>
> </client-ssl-contexts>
> </tls>
> </subsystem>
> <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">
> <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/>
> <initializers security="identity" transactions="spec"/>
> <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/>
> <interop iona="true"/>
> </subsystem>
> {noformat}
> See also:
> * https://developer.jboss.org/message/987804#987804
> * http://wildfly.org/news/2017/10/06/OpenSSL-Support-In-Wildfly/
> * https://github.com/mozilla/cipherscan.git
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list