Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12308

Reverse proxy does not work with openssl provider used

    XMLWordPrintable

Details

    • Documentation (Ref Guide, User Guide, etc.)
    • Hide

      We need to have an EAP worker and an EAP proxy servers:

      1. worker
        unzip EAP
        generate neccessary keystores in standalone/configuration directory:
        EAP - worker
        keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret
keytool -exportcert  -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer
keytool -exportcert  -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer
keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer
keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer
keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret
keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret

        configure two-way ssl in EAP CLI:

        /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
/subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC)
run-batch
      2. proxy
        copy client.keystore.jks and client.truststore.jks from EAP - worker to EAP - proxy standalone/configuration directory
        Configure two way ssl in EAP CLI:
        EAP - proxy
        /subsystem=elytron/key-store=twoWayKS:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-store=twoWayTS:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm="SunX509")
/subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC)
run-batch

        Configure reverse-proxy in EAP CLI:

        /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443)
/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add()
/subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSC,scheme=https)
/subsystem=undertow/server=default-server/host=default-host/location=\/proxy:add(handler=my-proxy)
      3. start EAP - worker 
        ./bin/standalone.sh
      4. start EAP - proxy 
        ./bin/standalone.sh -Djboss.socket.binding.port-offset=1000
      5. import certificate to your client (beware - with this configuration you actually want to import server.p12)
      6. perform request to https://localhost:9443/proxy
      7. see 503 - Service Unavailable response from proxy
      Show
      We need to have an EAP worker and an EAP proxy servers: worker unzip EAP generate neccessary keystores in standalone/configuration directory: EAP - worker keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -validity 365 -keystore client.keystore.jks -dname "CN=client" -keypass secret -storepass secret keytool -exportcert -keystore server.keystore.jks -alias localhost -keypass secret -storepass secret -file server.cer keytool -exportcert -keystore client.keystore.jks -alias client -keypass secret -storepass secret -file client.cer keytool -importcert -noprompt -keystore server.truststore.jks -storepass secret -alias client -trustcacerts -file client.cer keytool -importcert -noprompt -keystore client.truststore.jks -storepass secret -alias localhost -trustcacerts -file server.cer keytool -importkeystore -srckeystore client.keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias client -destalias client -srcstorepass secret keytool -importkeystore -srckeystore server.keystore.jks -destkeystore server.p12 -srcstoretype JKS -deststoretype PKCS12 -deststorepass secret -destkeypass secret -srcalias localhost -destalias localhost -srcstorepass secret configure two-way ssl in EAP CLI: /subsystem=elytron/key-store=twoWayKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=server.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch proxy copy client.keystore.jks and client.truststore.jks from EAP - worker to EAP - proxy standalone/configuration directory Configure two way ssl in EAP CLI: EAP - proxy /subsystem=elytron/key-store=twoWayKS:add(path=client.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-store=twoWayTS:add(path=client.truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS,algorithm= "SunX509" ) /subsystem=elytron/server-ssl-context=twoWaySSC:add(providers=openssl,key-manager=twoWayKM,protocols=[ "TLSv1.2" ],trust-manager=twoWayTM,need-client-auth= true ) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC) run-batch Configure reverse-proxy in EAP CLI: /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=my-socket:add(host=localhost,port=8443) /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy:add() /subsystem=undertow/configuration=handler/reverse-proxy=my-proxy/host=localhost:add(outbound-socket-binding=my-socket,ssl-context=twoWaySSC,scheme=https) /subsystem=undertow/server= default -server/host= default -host/location=\/proxy:add(handler=my-proxy) start EAP - worker ./bin/standalone.sh start EAP - proxy ./bin/standalone.sh -Djboss.socket.binding.port-offset=1000 import certificate to your client (beware - with this configuration you actually want to import server.p12) perform request to https://localhost:9443/proxy see 503 - Service Unavailable response from proxy

    Description

      Reverse proxy in Undertow does not work with OpenSSL provider configured. Follow Steps to Reproduce section to configure and check error. On proxy there is following exception logged:

      18:27:26,640 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) The version of SSL in use does not support cipher ordering
18:27:26,642 DEBUG [io.undertow.request] (default I/O-12) Matched prefix path /proxy for path /proxy
18:27:26,643 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) The version of SSL in use does not support cipher ordering
18:27:26,644 DEBUG [io.undertow.request] (default I/O-12) Failed to connect: java.io.IOException: java.lang.UnsupportedOperationException
        at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:328)
        at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:306)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:330)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
Caused by: java.lang.UnsupportedOperationException
        at org.wildfly.openssl.OpenSSLEngine.setUseClientMode(OpenSSLEngine.java:1062)
        at org.xnio.ssl.JsseSslUtils.createSSLEngine(JsseSslUtils.java:148)
        at io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:321)
        ... 4 more

      Worker does not log anything important. When standard jsse provider is configured on proxy

      /subsystem=elytron/server-ssl-context=twoWaySSC:undefine-attribute(name=providers)

      proxying starts to work and one can see EAPs welcome page.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11599 OpenSSL client ignores certificate validation result

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: