Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16425

(7.2.z) WFLY-11640 - WFSSL-10 - NPE with wildfly-openssl using OpenSSL 1.1.1a

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide
      1. start eap with path to OpenSSL 1.1.1a, e.g.:
        ./bin/standalone.sh -Dorg.wildfly.openssl.path=/tmp/openssl-1.1.1a/
        
      2. configure tls provider via CLI:
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLSv1.2)
        reload
        
      3. see NPE during ciphers initialization in server.log
      4. perform request to server, e.g. curl -k https://localhost:8443 and see another NPE
      Show
      start eap with path to OpenSSL 1.1.1a, e.g.: ./bin/standalone.sh -Dorg.wildfly.openssl.path=/tmp/openssl-1.1.1a/ configure tls provider via CLI: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLSv1.2) reload see NPE during ciphers initialization in server.log perform request to server, e.g. curl -k https://localhost:8443 and see another NPE
    • QE Test Coverage:
      +

      Description

      It is impossible to use wildfly-openssl binding with OpenSSL 1.1.1a (RHEL8 uses 1.1.1 at the moment but there seems to be same issue). There is an NPE during the ciphersuites initialization:

      9:10:58,330 WARNING [org.wildfly.openssl.OpenSSLContextSPI] (MSC service thread 1-3) WFOPENSSL0014 Failed to initialize ciphers: java.lang.NullPointerException
      	at org.wildfly.openssl.CipherSuiteConverter.toJava(CipherSuiteConverter.java:284)
      	at org.wildfly.openssl.OpenSSLContextSPI.getAvailableCipherSuites(OpenSSLContextSPI.java:109)
      	at org.wildfly.openssl.OpenSSLEngine.getSupportedCipherSuites(OpenSSLEngine.java:711)
      	at org.wildfly.openssl.OpenSSLSocket.getSupportedCipherSuites(OpenSSLSocket.java:163)
      	at javax.net.ssl.SSLContextSpi.engineGetSupportedSSLParameters(SSLContextSpi.java:194)
      	at javax.net.ssl.SSLContext.getSupportedSSLParameters(SSLContext.java:436)
      	at org.jboss.as.domain.management.security.SSLContextService.wrapSslContext(SSLContextService.java:116)
      	at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:102)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
      	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
      	at java.lang.Thread.run(Thread.java:748)
      

      and then there is NPE during the request itself:

      19:12:18,417 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
      	at org.wildfly.openssl.CipherSuiteConverter.toJava(CipherSuiteConverter.java:284)
      	at org.wildfly.openssl.OpenSSLEngine.toJavaCipherSuite(OpenSSLEngine.java:1094)
      	at org.wildfly.openssl.OpenSSLEngine.getEnabledCipherSuites(OpenSSLEngine.java:729)
      	at org.wildfly.openssl.OpenSSLContextSPI.getCiphers(OpenSSLContextSPI.java:339)
      	at org.wildfly.openssl.OpenSSLEngine.getEnabledCipherSuites(OpenSSLEngine.java:720)
      	at io.undertow.server.protocol.http.AlpnOpenListener.engineSupportsHTTP2(AlpnOpenListener.java:324)
      	at io.undertow.server.protocol.http.AlpnOpenListener$1.apply(AlpnOpenListener.java:239)
      	at io.undertow.server.protocol.http.AlpnOpenListener$1.apply(AlpnOpenListener.java:235)
      	at io.undertow.server.protocol.http.AlpnOpenListener$SSLConduitUpdater.apply(AlpnOpenListener.java:430)
      	at io.undertow.server.protocol.http.AlpnOpenListener$SSLConduitUpdater.apply(AlpnOpenListener.java:419)
      	at io.undertow.protocols.alpn.DefaultAlpnEngineManager.registerEngine(DefaultAlpnEngineManager.java:31)
      	at io.undertow.protocols.alpn.ALPNManager.registerEngineCallback(ALPNManager.java:80)
      	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:235)
      	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:64)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
      	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:131)
      	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
      

      Looking briefly into it, the cipher that is trying to be used is TLS_AES_256_GCM_SHA384. It is interesting that this cipher has underscores '_' in its name instead of hyphens '-' as most of the openssl ciphers have. Looks like these were added in the sake of TLSv1.3, see here.


      Note: results are pretty much same when using elytron security subsystem instead, see this comment.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  iweiss Ingo Weiss
                  Reporter:
                  jstourac Jan Stourac
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  10 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: