Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-12882

SSL Engine does not respect configuration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 12.1.0.Final
    • None
    • None
    • None

      The requirement is to disable tls 1.1 and only enable tls 1.2. Also it should be possible to set custom ciphers

      1. Edit infinispan.xml like below and save.
      ~~~
      <server-identities>
      <ssl>
      <keystore path="application.keystore" relative-to="infinispan.server.config.path"
      keystore-password="password" alias="server" key-password="password"
      generate-self-signed-certificate-host="localhost"/>
      <engine enabled-protocols="TLSv1.2"/>
      </ssl>
      </server-identities>
      ~~~
      2. Try to connect to tls_1.1 and tls_1.2. It will connect to both protocol.

      OBSERVATION:

      >> Connecting to tls_1.1
      TLS_1.1
      ~~~
      [gaurkuma@gaurkuma bin]$ openssl s_client -connect 127.0.0.1:11222 -tls1_1
      CONNECTED(00000003)
      depth=0 CN = localhost
      verify error:num=18:self signed certificate
      verify return:1
      depth=0 CN = localhost
      verify return:1

      Certificate chain
      0 s:/CN=localhost
      i:/CN=localhost

      Server certificate
      ----BEGIN CERTIFICATE----
      MIICqDCCAZKgAwIBAgIIb4j+s3lnonswCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
      CWxvY2FsaG9zdDAiGA8yMDIxMDIyNjA1MjM0NloYDzIwMzEwMjI0MDUyMzQ2WjAU
      MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
      AoIBAQCupTvqFIP3XkCxl6iqoBcWqEP8G7HEEovacbzxUqHobijrqgsUzpya5+Ez
      R4SMZ1VdhFAidZLdFSLQmKBXOTjybVeMbIB2gyeSWkHskJ6rGY5xIzqY0lmRZY5j
      kwZYeIyf4pLNAo5PHe86+PYaKUzy3lliVCrNJXIpQqx+K+HfNVcALIdmmodndca7
      g/tNQn0GXSqIg3DWpNhw2GamSTlBSk2p7MsMenLmRpjd1CzcmfGCiNvKB+I/Vy5Q
      +Zqqt+UzPo6sE9RjaEorWqvpIrKKNN9VzmGbkRgpj3cT7XZarx2qeKJDlYGgdH7X
      0LXezpVhxBkfID3Osq9a9TmTHPFpAgMBAAEwCwYJKoZIhvcNAQELA4IBAQAUTpBH
      TCCz061nF/k6X5L1bBtSRFVMCGM9lCGDWwgHg8vz5Ceo6cudiTZkNCcIZ8qBP9LQ
      qDOGGpcuqd8khgyFloVnzTnCtjFSotgEdUml4FUtizF6AaiQRbwdyXA5MA7joERT
      zDXEcBtY8CXydRbTp77azQmvk+gmxyKN0iuZNPUBiMhXH8DMWb40MbVtZzivi4oA
      49nZ851sjAd3WJ8YdXwFmeMknFP4zG3AOKL9xDNY/sO3r2m8Kn0dk26HoM29wh6O
      rEmLr51EstOUAh+CPXfd1kHmtMDQggUSYxxWy5RK9bhmXJSUUC0QRF4RL+aQbOVU
      dg40JlU0o2gSXx4C
      ----END CERTIFICATE----
      subject=/CN=localhost
      issuer=/CN=localhost

      No client certificate CA names sent
      Server Temp Key: ECDH, P-256, 256 bits

      SSL handshake has read 1190 bytes and written 331 bytes

      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.1
      Cipher : ECDHE-RSA-AES256-SHA
      Session-ID: EB0B45F77B93B7C5AD774646844D934D93EC58C7666DAFBCB375E62645D6AD9E
      Session-ID-ctx:
      Master-Key: 3748FB3CF4BB2A2D343833AB19B8ED201866345A066A82392EE15667F5BB1B74EEFA6603DDB01B7CBD70F1B1B217B2BA
      Key-Arg : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1614322613
      Timeout : 7200 (sec)
      Verify return code: 18 (self signed certificate)

      exit
      [gaurkuma@gaurkuma bin]$
      ~~~

      >> Connecting to tls_1.2
      TLS_1.2
      ~~~
      [gaurkuma@gaurkuma bin]$ openssl s_client -connect 127.0.0.1:11222 -tls1_2
      CONNECTED(00000003)
      depth=0 CN = localhost
      verify error:num=18:self signed certificate
      verify return:1
      depth=0 CN = localhost
      verify return:1

      Certificate chain
      0 s:/CN=localhost
      i:/CN=localhost

      Server certificate
      ----BEGIN CERTIFICATE----
      MIICqDCCAZKgAwIBAgIIb4j+s3lnonswCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
      CWxvY2FsaG9zdDAiGA8yMDIxMDIyNjA1MjM0NloYDzIwMzEwMjI0MDUyMzQ2WjAU
      MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
      AoIBAQCupTvqFIP3XkCxl6iqoBcWqEP8G7HEEovacbzxUqHobijrqgsUzpya5+Ez
      R4SMZ1VdhFAidZLdFSLQmKBXOTjybVeMbIB2gyeSWkHskJ6rGY5xIzqY0lmRZY5j
      kwZYeIyf4pLNAo5PHe86+PYaKUzy3lliVCrNJXIpQqx+K+HfNVcALIdmmodndca7
      g/tNQn0GXSqIg3DWpNhw2GamSTlBSk2p7MsMenLmRpjd1CzcmfGCiNvKB+I/Vy5Q
      +Zqqt+UzPo6sE9RjaEorWqvpIrKKNN9VzmGbkRgpj3cT7XZarx2qeKJDlYGgdH7X
      0LXezpVhxBkfID3Osq9a9TmTHPFpAgMBAAEwCwYJKoZIhvcNAQELA4IBAQAUTpBH
      TCCz061nF/k6X5L1bBtSRFVMCGM9lCGDWwgHg8vz5Ceo6cudiTZkNCcIZ8qBP9LQ
      qDOGGpcuqd8khgyFloVnzTnCtjFSotgEdUml4FUtizF6AaiQRbwdyXA5MA7joERT
      zDXEcBtY8CXydRbTp77azQmvk+gmxyKN0iuZNPUBiMhXH8DMWb40MbVtZzivi4oA
      49nZ851sjAd3WJ8YdXwFmeMknFP4zG3AOKL9xDNY/sO3r2m8Kn0dk26HoM29wh6O
      rEmLr51EstOUAh+CPXfd1kHmtMDQggUSYxxWy5RK9bhmXJSUUC0QRF4RL+aQbOVU
      dg40JlU0o2gSXx4C
      ----END CERTIFICATE----
      subject=/CN=localhost
      issuer=/CN=localhost

      No client certificate CA names sent
      Peer signing digest: SHA512
      Server Temp Key: ECDH, P-256, 256 bits

      SSL handshake has read 1168 bytes and written 415 bytes

      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.2
      Cipher : ECDHE-RSA-AES256-GCM-SHA384
      Session-ID: 1126F18BC7E15414002F74D4594A7AB64EFFDD0F373B484A8BB2D746FAE878AA
      Session-ID-ctx:
      Master-Key: 77887195A451D3565B9272C9C4A02D1D1DDDADD58BD04C31BDE26D972DA9164C1209F17F1BA289F6AA0609AFEDC729B4
      Key-Arg : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1614322598
      Timeout : 7200 (sec)
      Verify return code: 18 (self signed certificate)

      exit
      ~~~

      https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.1/html/data_grid_server_guide/securing_access#ssl_identity-server

              ttarrant@redhat.com Tristan Tarrant
              rhn-support-gaurkuma Gaurav Kumar (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: