Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5931

Elytron introduces SSL/TLS protocol constraints

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.1.0.DR8
    • 7.1.0.DR4
    • Security
    • None

    Description

                             "protocols" => {
                            "type" => LIST,
                            "description" => "The enabled protocols.",
                            "expressions-allowed" => true,
                            "nillable" => false,
                            "allowed" => [
                                "SSLv2",
                                "SSLv3",
                                "TLSv1",
                                "TLSv1_1",
                                "TLSv1_2",
                                "TLSv1_3"
                            ],
                            "value-type" => STRING,
                            "access-type" => "read-write",
                            "storage" => "configuration",
                            "restart-required" => "resource-services"
                        },

      Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
      Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
      IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java.

      Note, IBM java already today defines little bit different protocols set [2]

      I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.

      [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
      [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-627 Elytron introduces SSL/TLS protocol constraints

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-7024 Upgrade to Elytron subsystem 1.0.0.Alpha13

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: