Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-17638

(7.3.z) Enabling one-way ssl using elytron with key length < 2048 returns non user friendly error message

XMLWordPrintable

    • +
    • Hide
      1. download JBoss EAP, unzip and move in the bin dir:
        $ cd jboss-eap-7.3/bin
        
      2. create a keystore
        $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
        
      3. try to configure OpenSSL provider for SSL connections with previously generated keystore file
        $ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)"
        $ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm="SunX509",credential-reference={clear-text=secret})"
        $ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=["TLSv1.2"])"
        
      4. see error in the server.log file
      Show
      download JBoss EAP, unzip and move in the bin dir: $ cd jboss-eap-7.3/bin create a keystore $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret try to configure OpenSSL provider for SSL connections with previously generated keystore file $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)" $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm=" SunX509 ",credential-reference={clear-text=secret})" $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=[" TLSv1.2 "])" see error in the server.log file

      When enabling SSL/TLS via OpenSSL provider using the Elytron subsystem, we've ran into following issue:

      server.log
      10:04:39,169 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.ssl-context.sslSSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.sslSSC: Failed to start service
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1729)
      	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)
      	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Error setting certificate (%s)
      	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:278)
      	at org.wildfly.openssl.OpenSSLContextSPI.engineInit(OpenSSLContextSPI.java:358)
      	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
      	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:371)
      	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
      	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:1043)
      	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)
      	... 6 more
      Caused by: java.lang.IllegalStateException: Error setting certificate (%s)
      	at org.wildfly.openssl.SSLImpl.setCertificate0(Native Method)
      	at org.wildfly.openssl.SSLImpl.setCertificate(SSLImpl.java:598)
      	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:225)
      	... 14 more
      

      This error occured only on RHEL8 system. It turned out that root cause is a certificate we create like this:

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
      

      Although, system OpenSSL on RHEL8 is much stricter and key length 1024 is not strong enough. One needs to use longer keysize obviously since when we used 2048 keylength, all started to work.

      This issue is about making this problem more visible to user from the log message in server.log file that is shown before. Also notice that there is a '%s' placeholder, which looks like it should be replaced by some actual error message but it was not.

              rhn-support-rmartinc Ricardo Martin Camarero
              fburzigo Fabio Burzigotti
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: