Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10396

Elytron, it is not possible to use OpenSSL provider for TLS when in FIPS mode

XMLWordPrintable

    • Hide
      • elytron ssl context used to configure TLS.
      • FIPS PKCS11 keystore used
      • OpenSSL provider registered before Elytron provider 
                 <subsystem xmlns="urn:wildfly:elytron:1.0" initial-providers="combined-providers">
            <providers>
                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
                <provider-loader name="openssl" module="org.wildfly.openssl"/>
                <aggregate-providers name="combined-providers">
                    <providers name="openssl"/>
                    <providers name="elytron"/>
                </aggregate-providers>
      Show
      elytron ssl context used to configure TLS. FIPS PKCS11 keystore used OpenSSL provider registered before Elytron provider <subsystem xmlns= "urn:wildfly:elytron:1.0" initial-providers= "combined-providers" > <providers> <provider-loader name= "elytron" module= "org.wildfly.security.elytron" /> <provider-loader name= "openssl" module= "org.wildfly.openssl" /> <aggregate-providers name= "combined-providers" > <providers name= "openssl" /> <providers name= "elytron" /> </aggregate-providers>

      User impact: In FIPS mode user can't use OpenSSL provider for TLS. User can still use "standard" JSSE TLS - that works just fine.

      • OpenSSL TLS is considered to have better performance than java JSSE implementation
      • I believe OpenSSL provider is also currently prerequisite for HTTP/2
      [Host Controller] 14:50:45,678 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.ssl-context.oneWaySSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.oneWaySSC: Failed to start service
[Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
[Host Controller] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[Host Controller] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[Host Controller] 	at java.lang.Thread.run(Thread.java:745)
[Host Controller] Caused by: java.lang.RuntimeException: java.lang.NullPointerException
[Host Controller] 	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:249)
[Host Controller] 	at org.wildfly.openssl.OpenSSLContextSPI.engineInit(OpenSSLContextSPI.java:319)
[Host Controller] 	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
[Host Controller] 	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:345)
[Host Controller] 	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:45)
[Host Controller] 	at org.wildfly.extension.elytron.SSLDefinitions$4.lambda$getValueSupplier$1(SSLDefinitions.java:730)
[Host Controller] 	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
[Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
[Host Controller] 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
[Host Controller] 	... 3 more
[Host Controller] Caused by: java.lang.NullPointerException
[Host Controller] 	at java.util.Base64$Encoder.encode(Base64.java:261)
[Host Controller] 	at java.util.Base64$Encoder.encodeToString(Base64.java:315)
[Host Controller] 	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:199)
[Host Controller] 	... 11 more

              rhn-support-pnag Priyanka Nag
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: