Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8964

wildfly-openssl - server choose h2 even when lower than TLSv1.2 is used

XMLWordPrintable

    • Hide
      1. Unzip EAP and start it with OpenSSL libs provided
      2. configure openssl.TLSv1 protocol attribute in /core-service=management/security-realm=ApplicationRealm/server-identity=ssl
      3. reload
      4. perform https request from client that offers h2 protocol in ALPN client_hello field and also restricts weak ciphersuites used (Firefox, Chrome,...)
      5. see NS_ERROR_NET_INADEQUATE_SECURITY
      Show
      Unzip EAP and start it with OpenSSL libs provided configure openssl.TLSv1 protocol attribute in /core-service=management/security-realm=ApplicationRealm/server-identity=ssl reload perform https request from client that offers h2 protocol in ALPN client_hello field and also restricts weak ciphersuites used (Firefox, Chrome,...) see NS_ERROR_NET_INADEQUATE_SECURITY

      I have configured EAP server so it accepts HTTP2 via TLS, is started with OpenSSL libs provided and set openssl.TLS value in /core-service=management/security-realm=ApplicationRealm/server-identity=ssl[protocol] attribute. Then HTTP2 requests from Firefox and Chrome work just fine. But when I setup openssl.TLSv1 protocol attributre value instead, after server reload I get NS_ERROR_NET_INADEQUATE_SECURITY from Firefox and ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY from Chrome.

      I think that reason is that server provides h2 protocol in ALPN in server_hello response. This should not be there AFAIK as h2 should be allowed only with TLSv1.2+ as is described here. I think that as client proposed both h2 and http/1.1, server should choose http/1.1 protocol for communication in situation when TLSv1.1 and lower is utilized.

      Pcap in attachement (password for server key is 'password').

      Note: this is not fixed even when I set 'enabled-protocols' to [TLSv1] only.
      Note2: I have also tested with Undertow master (latest commit) and also with latest wildfly-openssl (latest commit).

        1. server.p12
          2 kB
          Jan Stourac
        2. tls10h2Fail.pcapng
          2 kB
          Jan Stourac

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: