-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
-
None
When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the following exception is logged:
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
As I understand, SSLv2Hello is used in older JDK versions for the initial handshake message where the SSL version that will be used for the rest of the handshake is negotiated.
It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to not being a valid value:
[standalone@localhost:9990 /] /subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols, value=SSLv2Hello, index=0) { "outcome" => "failed", "failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for protocols; legal values are [\"SSLv2\", \"SSLv3\", \"TLSv1\", \"TLSv1.1\", \"TLSv1.2\", \"TLSv1.3\"]", "rolled-back" => true }
According to the undertow read-resource-description below, when server-ssl-context is configured in the Elytron subsystem, protocols must be defined in the server-ssl-context and not in the https connector in Undertow ("Where an SSLContext is references it should be configured with the supported protocols."):
/subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)... "enabled-protocols" => { "type" => STRING, "description" => "Configures SSL protocols", "expressions-allowed" => true, "required" => false, "nillable" => true, "alternatives" => ["ssl-context"], "min-length" => 1L, "max-length" => 2147483647L, "deprecated" => { "since" => "4.0.0", "reason" => "Where an SSLContext is references it should be configured with the supported protocols." }, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "all-services" }, ...
It is possible to add SSLv2Hello to the https connector in Undertow with legacy security as per.
- is cloned by
-
WFCORE-5145 Elytron server-ssl-context allowed protocols
- Closed
-
WFLY-13916 Elytron server-ssl-context allowed protocols
- Closed