Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4571

Value of 'soft-fail' attribute in 'elytron/trust-manager' is not propagated

XMLWordPrintable

    • Hide

      Prepare certs and start ocsp responder via OpenSSL:

      mkdir certs && cd certs
download there attached script which is used to generate necessary certificates make-certs.sh
bash ./make-certs.sh valid-cert test@ex.com all ocsp:http://127.0.0.1:8088
openssl ocsp -index ca.db -port 8088 -rsigner ca.pem -CA ca.pem -out ocsp_responder.out -text

      Prepare OCSP truststore for WildFly

      keytool -importcert -keystore ocsp-truststore.jks -storepass weneedthatforjava -alias ca -trustcacerts -file ca.crt -noprompt

      Prepare WildFly server

      1. setup server-ssl-context: 
        ./bin/standalone.sh &
curl https://localhost:8443 -k # perform request against server to autogenerate server certificate and keystore

./bin/jboss-cli.sh -c
/subsystem=elytron/key-store=serverKS:add(credential-reference={clear-text=password},path=application.keystore,relative-to=jboss.server.config.dir)
/subsystem=elytron/key-manager=serverKM:add(credential-reference={clear-text=password},key-store=serverKS)
/subsystem=elytron/server-ssl-context=serverSslContext:add(key-manager=serverKM)
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=serverSslContext)
run-batch
reload
      2. setup two-way ssl auth with 'soft-fail' set to true: 
        (modify path to truststore)
/subsystem=elytron/key-store=ocspKS:add(credential-reference={clear-text=weneedthatforjava},path=/tmp/certs/ocsp-truststore.jks)
/subsystem=elytron/key-manager=ocspKM:add(credential-reference={clear-text=weneedthatforjava},key-store=ocspKS)
/subsystem=elytron/trust-manager=oscpTM:add(key-store=ocspKS, soft-fail=true)
/subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=trust-manager,value=oscpTM)
/subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=need-client-auth,value=true)
reload
      3. Setup OCSP check: 
        /subsystem=elytron/trust-manager=oscpTM:write-attribute(name=ocsp.responder,value="http://127.0.0.1:8088")
reload
      4. check that you can access server welcome-page with valid certificate when OCSP responder is active: 
        curl -k https://127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem  # success
      5. stop OCSP responder (ctrl-c on openssl process)
      6. we expect to be able to still have access to the welcome-page as soft-fail is enabled, although this is not truth with current code: 
        curl -k https://127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem  # success expected, but failed instead :(
      Show
      Prepare certs and start ocsp responder via OpenSSL: mkdir certs && cd certs download there attached script which is used to generate necessary certificates make-certs.sh bash ./make-certs.sh valid-cert test@ex.com all ocsp:http: //127.0.0.1:8088 openssl ocsp -index ca.db -port 8088 -rsigner ca.pem -CA ca.pem -out ocsp_responder.out -text Prepare OCSP truststore for WildFly keytool -importcert -keystore ocsp-truststore.jks -storepass weneedthatforjava -alias ca -trustcacerts -file ca.crt -noprompt Prepare WildFly server setup server-ssl-context: ./bin/standalone.sh & curl https: //localhost:8443 -k # perform request against server to autogenerate server certificate and keystore ./bin/jboss-cli.sh -c /subsystem=elytron/key-store=serverKS:add(credential-reference={clear-text=password},path=application.keystore,relative-to=jboss.server.config.dir) /subsystem=elytron/key-manager=serverKM:add(credential-reference={clear-text=password},key-store=serverKS) /subsystem=elytron/server-ssl-context=serverSslContext:add(key-manager=serverKM) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=serverSslContext) run-batch reload setup two-way ssl auth with 'soft-fail' set to true: (modify path to truststore) /subsystem=elytron/key-store=ocspKS:add(credential-reference={clear-text=weneedthatforjava},path=/tmp/certs/ocsp-truststore.jks) /subsystem=elytron/key-manager=ocspKM:add(credential-reference={clear-text=weneedthatforjava},key-store=ocspKS) /subsystem=elytron/trust-manager=oscpTM:add(key-store=ocspKS, soft-fail= true ) /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=trust-manager,value=oscpTM) /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=need-client-auth,value= true ) reload Setup OCSP check: /subsystem=elytron/trust-manager=oscpTM:write-attribute(name=ocsp.responder,value= "http: //127.0.0.1:8088" ) reload check that you can access server welcome-page with valid certificate when OCSP responder is active: curl -k https: //127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem # success stop OCSP responder (ctrl-c on openssl process) we expect to be able to still have access to the welcome-page as soft-fail is enabled, although this is not truth with current code: curl -k https: //127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem # success expected, but failed instead :(

      Value of the 'soft-fail' attribute that is used in 'trust-manager' resource is not propagated from configuration to server correctly. As such, server always thinks the value is set to 'false'. See steps to reproduce section for more details.

        1. make-certs.sh
          14 kB

              jstourac@redhat.com Jan Stourac
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: