Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6774

wildfly-openssl - https with custom cipher

XMLWordPrintable

    • Hide
      1. unzip eap
      2. ./bin/standalone.sh
      3. /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
      4. /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=enabled-cipher-suites,value=[ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256])
      5. reload
      6. perform request to https://localhost:8443 from browser or via curl --insecure --http2 https://localhost:8443
      Show
      unzip eap ./bin/standalone.sh /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=enabled-cipher-suites,value=[ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256]) reload perform request to https://localhost:8443 from browser or via curl --insecure --http2 https://localhost:8443

      I tried to set custom cipher for SSL on the EAP server. I checked via Wireshark what cipher is negotiated between Chrome and EAP server when JSSE is in place and picked that cipher - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

      First I checked that my openssl knows it:

      $ openssl ciphers | grep ECDHE-RSA-AES128-GCM-SHA256
      ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
      

      Then I set 'openssl.TLS' protocol and enabled only ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher (see 'Steps for reproduction' for more info) and performed request to server both from Chrome 54 and from curl, following exception is printed in server.log:

      16:48:30,721 ERROR [org.xnio.listener] (default I/O-6) XNIO001007: A channel event listener threw an exception: java.lang.IllegalStateException: Failed cypher suite ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      	at org.wildfly.openssl.OpenSSLEngine.setEnabledCipherSuites(OpenSSLEngine.java:704)
      	at org.jboss.as.domain.management.security.WrapperSSLContext$WrapperSpi.setSslParams(WrapperSSLContext.java:84)
      	at org.jboss.as.domain.management.security.WrapperSSLContext$WrapperSpi.engineCreateSSLEngine(WrapperSSLContext.java:78)
      	at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:361)
      	at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:139)
      	at io.undertow.protocols.ssl.UndertowAcceptingSslChannel.accept(UndertowAcceptingSslChannel.java:56)
      	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:289)
      	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:128)
      	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)
      Caused by: java.lang.IllegalStateException: error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command
      	at org.wildfly.openssl.SSLImpl.setCipherSuites0(Native Method)
      	at org.wildfly.openssl.SSLImpl.setCipherSuites(SSLImpl.java:423)
      	at org.wildfly.openssl.OpenSSLEngine.setEnabledCipherSuites(OpenSSLEngine.java:702)
      	... 13 more
      

      Are cipher names ALL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and ECDHE-RSA-AES128-GCM-SHA256 actually reffering to the same cipher?

      My expectation was this configuration should work as both client knows this cipher (Chrome can use it when EAP is using JSSE) and my OpenSSL also lists it among available ciphers (thus I believe EAP with 'openssl.TLS' should also know it). Is there something wrong in my expectation?

            sdouglas1@redhat.com Stuart Douglas
            jstourac@redhat.com Jan Stourac
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: