Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9690

Inadequate security with Elytron + HTTP2

    XMLWordPrintable

Details

    • Hide

      Basically follow instructions here (with exception of TLSv1.2 version):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

/subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.2"])
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
/subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=wrap,value=false)    <-- because of https://issues.jboss.org/browse/JBEAP-5942
reload

      Now perform https request to server via Chrome or Firefox and see ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

      Show
      Basically follow instructions here (with exception of TLSv1.2 version): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/keystore.jks -dname "CN=localhost" -keypass secret -storepass secret /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=[ "TLSv1.2" ]) /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC) /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=wrap,value= false ) <-- because of https: //issues.jboss.org/browse/JBEAP-5942 reload Now perform https request to server via Chrome or Firefox and see ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY .

    Description

      When I configure Elytron based security and HTTP2, I can see that it works for curl client. Although Chrome or Firefox clients, that are more strict to what ciphersuite is used for created HTTP2 connection, they response with ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY instead.

      I think that reason for this is that client offers server both H2 and HTTP/1.1 protocol for communication in ALPN and with that set of ciphersuites that client supports. Although only subset of these offered ciphersuites can be actually utilized with H2 protocol. Server then choose H2 protocol and unsuitable ciphersuite. In response client set ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

      This seems to be similar as JBEAP-6818 which was filed against 'security-realm' based security subsystem.

      One can workaround this issue by explicitelly allowing only secure ciphersuites:

      /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=cipher-suite-filter, value=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

      But expected behaviour is that this works rightaway without neccessity of such configuration.

      I am attaching packet capture with such unsuccessfull request.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. UNDERTOW-1032 Inadequate security with Elytron + HTTP2

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-5942 Elytron + https-listener in undertow listener doesn't work with enable-http2 set to "true"

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-6818 wildfly-openssl - EAP chooses ciphers that are "unsecure" for Chrome and Firefox for HTTPS

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9866 Elytron SSLContext should not prefer local ciphers

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: