Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: 7.1.0.DR6, 7.1.1.CR1, 7.1.1.GA
Affects Version/s: 7.0.0.ER2 (Beta)
Component/s: Security
Labels:
None

Target Release:

7.1.z.GA
Steps to Reproduce:
Hide

1. configure https using SSL

<https-listener name="https" enabled-cipher-suites="SSL_RSA_WITH_AES_128_CBC_SHA" security-realm="ciphers-test-realm" socket-binding="https"/>

2. during wildfly startup there is error: ELY05017: Token "SSL_RSA_WITH_AES_128_CBC_SHA" not allowed
Show
1. configure https using SSL <https-listener name= "https" enabled-cipher-suites= "SSL_RSA_WITH_AES_128_CBC_SHA" security-realm= "ciphers-test-realm" socket-binding= "https" /> 2. during wildfly startup there is error: ELY05017: Token "SSL_RSA_WITH_AES_128_CBC_SHA" not allowed

Sprint:
EAP 7.1.1

SFDC Cases Counter:
SFDC Cases Links:

Description

Creating this issue mainly because of fact that it was working in EAP6. Nobody should use SSL anymore, but when someone is for any reason using these cipher suites and wants to migrate to EAP7 he will have to change enabled cipher suites.

Problem occures with these cipher suites:
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_AES_256_CBC_SHA

Whole error stacktrace:

14:51:48,080 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.lang.Thread.run(Thread.java:785)
Caused by: java.lang.IllegalArgumentException: ELY05017: Token "SSL_RSA_WITH_AES_128_CBC_SHA" not allowed at offset 28 of mechanism selection string "SSL_RSA_WITH_AES_128_CBC_SHA"
	at org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
	at org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
	at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
	... 3 more

14:51:48,085 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "undertow"),
    ("server" => "default-server"),
    ("https-listener" => "https")
]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.listener.https" => "org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
    Caused by: java.lang.IllegalArgumentException: ELY05017: Token \"SSL_RSA_WITH_AES_128_CBC_SHA\" not allowed at offset 28 of mechanism selection string \"SSL_RSA_WITH_AES_128_CBC_SHA\""}}

[1] http://stackoverflow.com/questions/24306468/tls-rsa-with-aes-128-cbc-sha-and-ssl-rsa-with-aes-128-cbc-sha

Attachments

Issue Links

is related to

JBEAP-5484 (7.1.0) There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK

Verified

Activity

People

Assignee:: Ilia Vassilev

Reporter:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2015/12/01 9:05 AM

Updated:: 2021/10/24 5:19 AM

Resolved:: 2018/01/18 1:49 PM