Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-15125

Incomplete update of wildfly-openssl libraries in EAP7.1.3 leads to inability to use OpenSSL with EAP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.4.GA
    • 7.1.3.GA
    • RPM
    • None
    • Hide
      1. install EAP7.1.3 from RPM repository
      2. try to configure the OpenSSL provider in Elytron:
        /subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
        /subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm="SunX509",credential-reference={clear-text=secret})
        /subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=["TLSv1.2"])
        {
            "outcome" => "failed",
            "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.sslSSC" => "Failed to start service
            Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Invalid key type
            Caused by: java.lang.IllegalStateException: Invalid key type"}},
            "rolled-back" => true
        }
        
      3. see errors in server.log
      Show
      install EAP7.1.3 from RPM repository try to configure the OpenSSL provider in Elytron: /subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=[ "TLSv1.2" ]) { "outcome" => "failed" , "failure-description" => { "WFLYCTL0080: Failed services" => { "org.wildfly.security.ssl-context.sslSSC" => "Failed to start service Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Invalid key type Caused by: java.lang.IllegalStateException: Invalid key type"}}, "rolled-back" => true } see errors in server.log

      It looks like after the latest EAP7.1.3.CP release there has been incomplete update of the wildfly-openssl libraries. See what packages have been installed on the machine using jb-eap-7.1-for-rhel-7-server-rpms RPM repository:

      # rpm -qa | grep "eap7.*openssl"
      eap7-wildfly-openssl-java-1.0.6-1.Final_redhat_1.1.ep7.el7.noarch
      eap7-wildfly-openssl-linux-1.0.2-13.Final_redhat_1.1.ep7.el7.x86_64
      eap7-wildfly-openssl-1.0.6-1.Final_redhat_1.1.ep7.el7.noarch
      

      Looking at the list of packages in the repository itself, it looks like there is really missing latest version of eap7-wildfly-openssl-linux package:

      eap7-wildfly-openssl-1.0.2-1.Final_redhat_1.1.ep7.el6.noarch.rpm	28-Nov-2017 07:06	4.3K	RPM package file
      eap7-wildfly-openssl-1.0.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm	22-Jun-2018 08:45	4.4K	RPM package file
      eap7-wildfly-openssl-java-1.0.2-1.Final_redhat_1.1.ep7.el6.noarch.rpm	28-Nov-2017 07:06	235K	RPM package file
      eap7-wildfly-openssl-java-1.0.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm	22-Jun-2018 08:44	240K	RPM package file
      eap7-wildfly-openssl-linux-1.0.2-13.Final_redhat_1.1.ep7.el6.i686.rpm	28-Nov-2017 07:07	24K	RPM package file
      

      This inconsistency leads to the inability to use OpenSSL with the EAP, see Steps to Reproduce section. Server log contains following errors:

      2018-07-25 07:08:46,422 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.ssl-context.sslSSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.sslSSC: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
              at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:921)
              at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
              at org.wildfly.security.ssl.SSLUtils.lambda$createSslContextFactory$1(SSLUtils.java:130)
              at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:338)
              at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:45)
              at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:919)
              ... 6 more
      
      2018-07-25 07:08:46,427 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("server-ssl-context" => "sslSSC")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.sslSSC" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
          Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}}
      2018-07-25 07:09:00,422 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.ssl-context.sslSSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.sslSSC: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
              at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:921)
              at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
              at org.wildfly.security.ssl.SSLUtils.lambda$createSslContextFactory$1(SSLUtils.java:130)
              at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:338)
              at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:45)
              at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:919)
              ... 6 more
      
      2018-07-25 07:09:00,425 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("server-ssl-context" => "sslSSC")
      ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.sslSSC" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
          Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}}
      

      This problem for all platforms with regard to the RPM distribution - thus RHEL7 x86_64, RHEL6 x86_64 and i386.


      Possible workaround can be used:

      • locate file libwfssl.so in your EAP installation and replace it with same file from the EAP7.1.3 zip archive distribution, e.g.:
        cp /tmp/jboss-eap-7.1/modules/system/layers/base/org/wildfly/openssl/main/lib/linux-x86_64/libwfssl.so /opt/rh/eap7/root/usr/share/wildfly/modules/system/layers/base/org/wildfly/openssl/main/lib/linux-x86_64/libwfssl.so
        

              permaine Permaine Cheung
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: