Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 7.4.21.GA
Affects Version/s: 7.4.18.GA
Component/s: Undertow
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.4.z.GA
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

AlpnOpenListener requires TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. So http/2 is not offered if this is removed from the enabled-cipher-suites.

For example, configure a https-listener like below:

<https-listener name="https" socket-binding="https" verify-client="REQUESTED" security-realm="ApplicationRealm" enable-http2="true" enabled-cipher-suites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>

And then note client requests are only HTTP/1.1 and not HTTP/2. That's consistently reproduced and clear to see there is then no alpn info in the server hello with ssl debug:

2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) javax.net.ssl|FINE|6E|default I/O-10|2024-07-23 13:09:32.198 EDT|ServerHello.java:365|Produced ServerHello handshake message (
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "ServerHello": {
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "server version"      : "TLSv1.2",
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "random"              : "19 78 CD 87 AE 39 8B 17 AB 93 5D FA 20 E4 06 47 BA A9 9D 29 17 5D 7F DC CB F5 09 F8 4A 73 E4 72",
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "session id"          : "35 B6 6C 91 45 67 55 CF 63 4A 06 B2 3E 2C 7C 02 CF 4E 81 BD E1 0A 11 DF D4 E2 9E 70 FD 71 15 CB",
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "compression methods" : "00",
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "extensions"          : [
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     "extended_master_secret (23)": {
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)       <empty>
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     },
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     "renegotiation_info (65,281)": {
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)       "renegotiated connection": [<no renegotiated connection>]
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     }
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   ]
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) }
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) )

clones

UNDERTOW-2434 AlpnOpenListener requires TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Open

is caused by

UNDERTOW-896 HTTP/2 should not be offered as an option if TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is not present

Resolved

Assignee:: Flavia Rainone

Reporter:: Aaron Ogburn

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/08/29 5:44 PM

Updated:: 2024/10/16 11:34 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates