[jboss-jira] [JBoss JIRA] (WFLY-11640) NPE with wildfly-openssl using OpenSSL 1.1.1a

Jan Stourac (Jira) issues at jboss.org
Wed Jan 23 13:25:00 EST 2019 

    [ https://issues.jboss.org/browse/WFLY-11640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686728#comment-13686728 ] 

Jan Stourac edited comment on WFLY-11640 at 1/23/19 1:24 PM:
-------------------------------------------------------------

Note, JFYI - here is the comparison of cipher sets between 1.1.0i-fips (default on my system) and 1.1.1a (compiled from source):
{code}
-AES128-CCM
-AES128-CCM8
 AES128-GCM-SHA256
 AES128-SHA
 AES128-SHA256
-AES256-CCM
-AES256-CCM8
 AES256-GCM-SHA384
 AES256-SHA
 AES256-SHA256
-CAMELLIA128-SHA
-CAMELLIA128-SHA256
-CAMELLIA256-SHA
-CAMELLIA256-SHA256
-DHE-RSA-AES128-CCM
-DHE-RSA-AES128-CCM8
+DHE-PSK-AES128-CBC-SHA
+DHE-PSK-AES128-CBC-SHA256
+DHE-PSK-AES128-GCM-SHA256
+DHE-PSK-AES256-CBC-SHA
+DHE-PSK-AES256-CBC-SHA384
+DHE-PSK-AES256-GCM-SHA384
+DHE-PSK-CHACHA20-POLY1305
 DHE-RSA-AES128-GCM-SHA256
 DHE-RSA-AES128-SHA
 DHE-RSA-AES128-SHA256
-DHE-RSA-AES256-CCM
-DHE-RSA-AES256-CCM8
 DHE-RSA-AES256-GCM-SHA384
 DHE-RSA-AES256-SHA
 DHE-RSA-AES256-SHA256
-DHE-RSA-CAMELLIA128-SHA
-DHE-RSA-CAMELLIA128-SHA256
-DHE-RSA-CAMELLIA256-SHA
-DHE-RSA-CAMELLIA256-SHA256
 DHE-RSA-CHACHA20-POLY1305
-ECDHE-ECDSA-AES128-CCM
-ECDHE-ECDSA-AES128-CCM8
 ECDHE-ECDSA-AES128-GCM-SHA256
 ECDHE-ECDSA-AES128-SHA
 ECDHE-ECDSA-AES128-SHA256
-ECDHE-ECDSA-AES256-CCM
-ECDHE-ECDSA-AES256-CCM8
 ECDHE-ECDSA-AES256-GCM-SHA384
 ECDHE-ECDSA-AES256-SHA
 ECDHE-ECDSA-AES256-SHA384
-ECDHE-ECDSA-CAMELLIA128-SHA256
-ECDHE-ECDSA-CAMELLIA256-SHA384
 ECDHE-ECDSA-CHACHA20-POLY1305
+ECDHE-PSK-AES128-CBC-SHA
+ECDHE-PSK-AES128-CBC-SHA256
+ECDHE-PSK-AES256-CBC-SHA
+ECDHE-PSK-AES256-CBC-SHA384
+ECDHE-PSK-CHACHA20-POLY1305
 ECDHE-RSA-AES128-GCM-SHA256
 ECDHE-RSA-AES128-SHA
 ECDHE-RSA-AES128-SHA256
 ECDHE-RSA-AES256-GCM-SHA384
 ECDHE-RSA-AES256-SHA
 ECDHE-RSA-AES256-SHA384
-ECDHE-RSA-CAMELLIA128-SHA256
-ECDHE-RSA-CAMELLIA256-SHA384
 ECDHE-RSA-CHACHA20-POLY1305
+PSK-AES128-CBC-SHA
+PSK-AES128-CBC-SHA256
+PSK-AES128-GCM-SHA256
+PSK-AES256-CBC-SHA
+PSK-AES256-CBC-SHA384
+PSK-AES256-GCM-SHA384
+PSK-CHACHA20-POLY1305
+RSA-PSK-AES128-CBC-SHA
+RSA-PSK-AES128-CBC-SHA256
+RSA-PSK-AES128-GCM-SHA256
+RSA-PSK-AES256-CBC-SHA
+RSA-PSK-AES256-CBC-SHA384
+RSA-PSK-AES256-GCM-SHA384
+RSA-PSK-CHACHA20-POLY1305
+SRP-AES-128-CBC-SHA
+SRP-AES-256-CBC-SHA
+SRP-RSA-AES-128-CBC-SHA
+SRP-RSA-AES-256-CBC-SHA
+TLS_AES_128_GCM_SHA256
+TLS_AES_256_GCM_SHA384
+TLS_CHACHA20_POLY1305_SHA256
{code}


was (Author: jstourac):
Note, JFYI - here is the comparison of cipher sets between 1.1.0i-fips (default on my system) and 1.1.1a:
{code}
-AES128-CCM
-AES128-CCM8
 AES128-GCM-SHA256
 AES128-SHA
 AES128-SHA256
-AES256-CCM
-AES256-CCM8
 AES256-GCM-SHA384
 AES256-SHA
 AES256-SHA256
-CAMELLIA128-SHA
-CAMELLIA128-SHA256
-CAMELLIA256-SHA
-CAMELLIA256-SHA256
-DHE-RSA-AES128-CCM
-DHE-RSA-AES128-CCM8
+DHE-PSK-AES128-CBC-SHA
+DHE-PSK-AES128-CBC-SHA256
+DHE-PSK-AES128-GCM-SHA256
+DHE-PSK-AES256-CBC-SHA
+DHE-PSK-AES256-CBC-SHA384
+DHE-PSK-AES256-GCM-SHA384
+DHE-PSK-CHACHA20-POLY1305
 DHE-RSA-AES128-GCM-SHA256
 DHE-RSA-AES128-SHA
 DHE-RSA-AES128-SHA256
-DHE-RSA-AES256-CCM
-DHE-RSA-AES256-CCM8
 DHE-RSA-AES256-GCM-SHA384
 DHE-RSA-AES256-SHA
 DHE-RSA-AES256-SHA256
-DHE-RSA-CAMELLIA128-SHA
-DHE-RSA-CAMELLIA128-SHA256
-DHE-RSA-CAMELLIA256-SHA
-DHE-RSA-CAMELLIA256-SHA256
 DHE-RSA-CHACHA20-POLY1305
-ECDHE-ECDSA-AES128-CCM
-ECDHE-ECDSA-AES128-CCM8
 ECDHE-ECDSA-AES128-GCM-SHA256
 ECDHE-ECDSA-AES128-SHA
 ECDHE-ECDSA-AES128-SHA256
-ECDHE-ECDSA-AES256-CCM
-ECDHE-ECDSA-AES256-CCM8
 ECDHE-ECDSA-AES256-GCM-SHA384
 ECDHE-ECDSA-AES256-SHA
 ECDHE-ECDSA-AES256-SHA384
-ECDHE-ECDSA-CAMELLIA128-SHA256
-ECDHE-ECDSA-CAMELLIA256-SHA384
 ECDHE-ECDSA-CHACHA20-POLY1305
+ECDHE-PSK-AES128-CBC-SHA
+ECDHE-PSK-AES128-CBC-SHA256
+ECDHE-PSK-AES256-CBC-SHA
+ECDHE-PSK-AES256-CBC-SHA384
+ECDHE-PSK-CHACHA20-POLY1305
 ECDHE-RSA-AES128-GCM-SHA256
 ECDHE-RSA-AES128-SHA
 ECDHE-RSA-AES128-SHA256
 ECDHE-RSA-AES256-GCM-SHA384
 ECDHE-RSA-AES256-SHA
 ECDHE-RSA-AES256-SHA384
-ECDHE-RSA-CAMELLIA128-SHA256
-ECDHE-RSA-CAMELLIA256-SHA384
 ECDHE-RSA-CHACHA20-POLY1305
+PSK-AES128-CBC-SHA
+PSK-AES128-CBC-SHA256
+PSK-AES128-GCM-SHA256
+PSK-AES256-CBC-SHA
+PSK-AES256-CBC-SHA384
+PSK-AES256-GCM-SHA384
+PSK-CHACHA20-POLY1305
+RSA-PSK-AES128-CBC-SHA
+RSA-PSK-AES128-CBC-SHA256
+RSA-PSK-AES128-GCM-SHA256
+RSA-PSK-AES256-CBC-SHA
+RSA-PSK-AES256-CBC-SHA384
+RSA-PSK-AES256-GCM-SHA384
+RSA-PSK-CHACHA20-POLY1305
+SRP-AES-128-CBC-SHA
+SRP-AES-256-CBC-SHA
+SRP-RSA-AES-128-CBC-SHA
+SRP-RSA-AES-256-CBC-SHA
+TLS_AES_128_GCM_SHA256
+TLS_AES_256_GCM_SHA384
+TLS_CHACHA20_POLY1305_SHA256
{code}

> NPE with wildfly-openssl using OpenSSL 1.1.1a
> ---------------------------------------------
>
>                 Key: WFLY-11640
>                 URL: https://issues.jboss.org/browse/WFLY-11640
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 15.0.1.Final
>         Environment: OpenSSL 1.1.1a
>            Reporter: Jan Stourac
>            Assignee: Stuart Douglas
>            Priority: Major
>
> It is impossible to use {{wildfly-openssl}} binding with OpenSSL 1.1.1a (RHEL8 uses 1.1.1 at the moment but there seems to be same issue). There is an NPE during the ciphersuites initialization:
> {code}
> 9:10:58,330 WARNING [org.wildfly.openssl.OpenSSLContextSPI] (MSC service thread 1-3) WFOPENSSL0014 Failed to initialize ciphers: java.lang.NullPointerException
> 	at org.wildfly.openssl.CipherSuiteConverter.toJava(CipherSuiteConverter.java:284)
> 	at org.wildfly.openssl.OpenSSLContextSPI.getAvailableCipherSuites(OpenSSLContextSPI.java:109)
> 	at org.wildfly.openssl.OpenSSLEngine.getSupportedCipherSuites(OpenSSLEngine.java:711)
> 	at org.wildfly.openssl.OpenSSLSocket.getSupportedCipherSuites(OpenSSLSocket.java:163)
> 	at javax.net.ssl.SSLContextSpi.engineGetSupportedSSLParameters(SSLContextSpi.java:194)
> 	at javax.net.ssl.SSLContext.getSupportedSSLParameters(SSLContext.java:436)
> 	at org.jboss.as.domain.management.security.SSLContextService.wrapSslContext(SSLContextService.java:116)
> 	at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:102)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> 	at java.lang.Thread.run(Thread.java:748)
> {code}
> and then there is NPE during the request itself:
> {code}
> 19:12:18,417 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
> 	at org.wildfly.openssl.CipherSuiteConverter.toJava(CipherSuiteConverter.java:284)
> 	at org.wildfly.openssl.OpenSSLEngine.toJavaCipherSuite(OpenSSLEngine.java:1094)
> 	at org.wildfly.openssl.OpenSSLEngine.getEnabledCipherSuites(OpenSSLEngine.java:729)
> 	at org.wildfly.openssl.OpenSSLContextSPI.getCiphers(OpenSSLContextSPI.java:339)
> 	at org.wildfly.openssl.OpenSSLEngine.getEnabledCipherSuites(OpenSSLEngine.java:720)
> 	at io.undertow.server.protocol.http.AlpnOpenListener.engineSupportsHTTP2(AlpnOpenListener.java:324)
> 	at io.undertow.server.protocol.http.AlpnOpenListener$1.apply(AlpnOpenListener.java:239)
> 	at io.undertow.server.protocol.http.AlpnOpenListener$1.apply(AlpnOpenListener.java:235)
> 	at io.undertow.server.protocol.http.AlpnOpenListener$SSLConduitUpdater.apply(AlpnOpenListener.java:430)
> 	at io.undertow.server.protocol.http.AlpnOpenListener$SSLConduitUpdater.apply(AlpnOpenListener.java:419)
> 	at io.undertow.protocols.alpn.DefaultAlpnEngineManager.registerEngine(DefaultAlpnEngineManager.java:31)
> 	at io.undertow.protocols.alpn.ALPNManager.registerEngineCallback(ALPNManager.java:80)
> 	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:235)
> 	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:64)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
> 	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:131)
> 	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
> 	at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
> {code}
> Looking briefly into it, the cipher that is trying to be used is *{{TLS_AES_256_GCM_SHA384}}*. It is interesting that this cipher has underscores '_' in its name instead of hyphens '-' as most of the openssl ciphers have.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list