Loading...

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 12.1.0.Final
Affects Version/s: None
Component/s: None
Labels:
None

Release Note Text:
Undefined
Git Pull Request:
https://github.com/infinispan/infinispan/pull/9174, https://github.com/infinispan/infinispan/pull/9176

Description

The requirement is to disable tls 1.1 and only enable tls 1.2. Also it should be possible to set custom ciphers

1. Edit infinispan.xml like below and save.
~~~
<server-identities>
<ssl>
<keystore path="application.keystore" relative-to="infinispan.server.config.path"
keystore-password="password" alias="server" key-password="password"
generate-self-signed-certificate-host="localhost"/>
<engine enabled-protocols="TLSv1.2"/>
</ssl>
</server-identities>
~~~
2. Try to connect to tls_1.1 and tls_1.2. It will connect to both protocol.

OBSERVATION:

>> Connecting to tls_1.1
TLS_1.1
~~~
[gaurkuma@gaurkuma bin]$ openssl s_client -connect 127.0.0.1:11222 -tls1_1
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
—
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
—
Server certificate
----~~BEGIN CERTIFICATE~~----
MIICqDCCAZKgAwIBAgIIb4j+s3lnonswCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
CWxvY2FsaG9zdDAiGA8yMDIxMDIyNjA1MjM0NloYDzIwMzEwMjI0MDUyMzQ2WjAU
MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCupTvqFIP3XkCxl6iqoBcWqEP8G7HEEovacbzxUqHobijrqgsUzpya5+Ez
R4SMZ1VdhFAidZLdFSLQmKBXOTjybVeMbIB2gyeSWkHskJ6rGY5xIzqY0lmRZY5j
kwZYeIyf4pLNAo5PHe86+PYaKUzy3lliVCrNJXIpQqx+K+HfNVcALIdmmodndca7
g/tNQn0GXSqIg3DWpNhw2GamSTlBSk2p7MsMenLmRpjd1CzcmfGCiNvKB+I/Vy5Q
+Zqqt+UzPo6sE9RjaEorWqvpIrKKNN9VzmGbkRgpj3cT7XZarx2qeKJDlYGgdH7X
0LXezpVhxBkfID3Osq9a9TmTHPFpAgMBAAEwCwYJKoZIhvcNAQELA4IBAQAUTpBH
TCCz061nF/k6X5L1bBtSRFVMCGM9lCGDWwgHg8vz5Ceo6cudiTZkNCcIZ8qBP9LQ
qDOGGpcuqd8khgyFloVnzTnCtjFSotgEdUml4FUtizF6AaiQRbwdyXA5MA7joERT
zDXEcBtY8CXydRbTp77azQmvk+gmxyKN0iuZNPUBiMhXH8DMWb40MbVtZzivi4oA
49nZ851sjAd3WJ8YdXwFmeMknFP4zG3AOKL9xDNY/sO3r2m8Kn0dk26HoM29wh6O
rEmLr51EstOUAh+CPXfd1kHmtMDQggUSYxxWy5RK9bhmXJSUUC0QRF4RL+aQbOVU
dg40JlU0o2gSXx4C
----~~END CERTIFICATE~~----
subject=/CN=localhost
issuer=/CN=localhost
—
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
—
SSL handshake has read 1190 bytes and written 331 bytes
—
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: EB0B45F77B93B7C5AD774646844D934D93EC58C7666DAFBCB375E62645D6AD9E
Session-ID-ctx:
Master-Key: 3748FB3CF4BB2A2D343833AB19B8ED201866345A066A82392EE15667F5BB1B74EEFA6603DDB01B7CBD70F1B1B217B2BA
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1614322613
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
—
exit
[gaurkuma@gaurkuma bin]$
~~~

>> Connecting to tls_1.2
TLS_1.2
~~~
[gaurkuma@gaurkuma bin]$ openssl s_client -connect 127.0.0.1:11222 -tls1_2
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
—
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
—
Server certificate
----~~BEGIN CERTIFICATE~~----
MIICqDCCAZKgAwIBAgIIb4j+s3lnonswCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
CWxvY2FsaG9zdDAiGA8yMDIxMDIyNjA1MjM0NloYDzIwMzEwMjI0MDUyMzQ2WjAU
MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCupTvqFIP3XkCxl6iqoBcWqEP8G7HEEovacbzxUqHobijrqgsUzpya5+Ez
R4SMZ1VdhFAidZLdFSLQmKBXOTjybVeMbIB2gyeSWkHskJ6rGY5xIzqY0lmRZY5j
kwZYeIyf4pLNAo5PHe86+PYaKUzy3lliVCrNJXIpQqx+K+HfNVcALIdmmodndca7
g/tNQn0GXSqIg3DWpNhw2GamSTlBSk2p7MsMenLmRpjd1CzcmfGCiNvKB+I/Vy5Q
+Zqqt+UzPo6sE9RjaEorWqvpIrKKNN9VzmGbkRgpj3cT7XZarx2qeKJDlYGgdH7X
0LXezpVhxBkfID3Osq9a9TmTHPFpAgMBAAEwCwYJKoZIhvcNAQELA4IBAQAUTpBH
TCCz061nF/k6X5L1bBtSRFVMCGM9lCGDWwgHg8vz5Ceo6cudiTZkNCcIZ8qBP9LQ
qDOGGpcuqd8khgyFloVnzTnCtjFSotgEdUml4FUtizF6AaiQRbwdyXA5MA7joERT
zDXEcBtY8CXydRbTp77azQmvk+gmxyKN0iuZNPUBiMhXH8DMWb40MbVtZzivi4oA
49nZ851sjAd3WJ8YdXwFmeMknFP4zG3AOKL9xDNY/sO3r2m8Kn0dk26HoM29wh6O
rEmLr51EstOUAh+CPXfd1kHmtMDQggUSYxxWy5RK9bhmXJSUUC0QRF4RL+aQbOVU
dg40JlU0o2gSXx4C
----~~END CERTIFICATE~~----
subject=/CN=localhost
issuer=/CN=localhost
—
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
—
SSL handshake has read 1168 bytes and written 415 bytes
—
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 1126F18BC7E15414002F74D4594A7AB64EFFDD0F373B484A8BB2D746FAE878AA
Session-ID-ctx:
Master-Key: 77887195A451D3565B9272C9C4A02D1D1DDDADD58BD04C31BDE26D972DA9164C1209F17F1BA289F6AA0609AFEDC729B4
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1614322598
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
—

exit
~~~

https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/data_grid_server_guide/securing_access#ssl_identity-server

Attachments

Issue Links

clones

JDG-4375 How to disable tls 1.1 and enable only tls 1.2 in DataGrid 8.1

Closed

SSL Engine does not respect configuration

Details

Description

Attachments

Issue Links

Activity

People

Dates