Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9690

Inadequate security with Elytron + HTTP2

XMLWordPrintable

    • Hide

      Basically follow instructions here (with exception of TLSv1.2 version):

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
      
      /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
      /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
      /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.2"])
      /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)
      /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=wrap,value=false)    <-- because of https://issues.jboss.org/browse/JBEAP-5942
      reload
      

      Now perform https request to server via Chrome or Firefox and see ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

      Show
      Basically follow instructions here (with exception of TLSv1.2 version): keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/keystore.jks -dname "CN=localhost" -keypass secret -storepass secret /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=[ "TLSv1.2" ]) /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC) /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=wrap,value= false ) <-- because of https: //issues.jboss.org/browse/JBEAP-5942 reload Now perform https request to server via Chrome or Firefox and see ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY .

      When I configure Elytron based security and HTTP2, I can see that it works for curl client. Although Chrome or Firefox clients, that are more strict to what ciphersuite is used for created HTTP2 connection, they response with ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY instead.

      I think that reason for this is that client offers server both H2 and HTTP/1.1 protocol for communication in ALPN and with that set of ciphersuites that client supports. Although only subset of these offered ciphersuites can be actually utilized with H2 protocol. Server then choose H2 protocol and unsuitable ciphersuite. In response client set ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

      This seems to be similar as JBEAP-6818 which was filed against 'security-realm' based security subsystem.

      One can workaround this issue by explicitelly allowing only secure ciphersuites:

      /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=cipher-suite-filter, value=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
      

      But expected behaviour is that this works rightaway without neccessity of such configuration.

      I am attaching packet capture with such unsuccessfull request.

        1. elytronHttp2InadequateTransportSecurity.pcapng
          6 kB
          Jan Stourac
        2. keystore.jks
          1 kB
          Jan Stourac
        3. standalone.xml
          29 kB
          Jan Stourac

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: