Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1618

TLS with BCJSSE Provider does not work

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 1.5.1.Final, 1.5.2.Final
    • 1.4.0.Final
    • SSL
    • None
    • Hide
      • drop two bc fips jars into java.home/jre/lib/ext
        • bc-fips-1.0.1.jar
        • bctls-fips-1.0.5.jar
      • install bc fips in java.security
        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
        security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
        security.provider.3=sun.security.provider.Sun
        
      • remove openssl provider from standalone.xml
        • /subsystem=elytron:write-attribute(name=final-providers,value=elytron)
      • create BCFKS keystore
        • keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v
      • configure undertow with tls
        • /subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference= {clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks
          ** /subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password}

          , algorithm=X509)

        • /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols=[TLSv1.2], need-client-auth=false)
        • /subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context)
      Show
      drop two bc fips jars into java.home/jre/lib/ext bc-fips-1.0.1.jar bctls-fips-1.0.5.jar install bc fips in java.security security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=sun.security.provider.Sun remove openssl provider from standalone.xml /subsystem=elytron:write-attribute(name=final-providers,value=elytron) create BCFKS keystore keytool, -genkeypair, -alias, appserver, -keyalg, RSA, -keysize, 2048, -keypass, password, -keystore, /home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks, -provider, org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, -providerpath, /home/mchoma/.m2/repository/org/bouncycastle/fips/bc-fips/1.0.1/bc-fips-1.0.1.jar, -storetype, BCFKS, -storepass, password, -dname, CN=appserver,OU=QE,O=Redhat,L=Brno,ST=CR,C=CZ, -validity, 730, -v configure undertow with tls /subsystem=elytron/key-store=key-store-name_server-ssl-context:add(name=key-store-name_server-ssl-context, type=BCFKS, credential-reference= {clear-text => password}, path=/home/mchoma/git-repo/tests-security/fips/target/bc-workdir/keystore.bcfks ** /subsystem=elytron/key-manager=key-manager-name_server-ssl-context:add(key-store=key-store-name_server-ssl-context, credential-reference={clear-text => password} , algorithm=X509) /subsystem=elytron/server-ssl-context=server-ssl-context:add(key-manager=key-manager-name_server-ssl-context, cipher-suite-filter=TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, protocols= [TLSv1.2] , need-client-auth=false) /subsystem=undertow/server=default-server/https-listener=https-listener:write-attribute(name=ssl-context, value=server-ssl-context)

      When I configure BouncyCastleJsseProvider to by only possible provider providing TLS TLS does not work with exception

       
      14:07:53,905 TRACE [org.wildfly.security] (MSC service thread 1-4) No SSLContext provided by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8, ApacheXMLDSig version 2.11, SunJCE version 1.8, TLSP version 1.0, WildFlyElytron version 1.0]
      14:07:53,906 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
      	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:926)
      	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
      	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
      	at org.wildfly.security.ssl.SSLUtils.throwIt(SSLUtils.java:142)
      	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
      	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
      	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:924)
      	... 9 more
      
      14:07:53,910 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("server-ssl-context" => "test-server-ssl-context")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
          Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}}
      

      After debugging it seems problem is this:
      Supported protocols resolved from BCJSSE version 1.0005 are [TLS, TLSV1, TLSV1.2, DEFAULT, TLSV1.1]
      Whereas Elytron class org.wildfly.security.ssl.Protocol use constants TLSv1, TLSv1.1, TLSv1.2, ... It means lower case "v"
      And thus ProtocolSelector.evaluate does return empty set.

      Possible solution to this particular problem will be make Protocol case insensitive. It means define enum constants in upper case and adjust methods to use .toUpperCase(). But I am probably not aware of all consequences of such change.

              fjuma1@redhat.com Farah Juma
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: