Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 12.0.0.Beta1, 12.0.0.Final
Affects Version/s: 10.0.0.Final
Component/s: Security
Labels:
None
Environment:
Hide

$ java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) $ openssl version OpenSSL 1.1.1d FIPS 10 Sep 2019 $ uname -r 5.3.6-200.fc30.x86_64

Note, I can see same behaviour also with JDK-11:

$ java -version java version "11.0.1" 2018-10-16 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)
Show
$ java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) $ openssl version OpenSSL 1.1.1d FIPS 10 Sep 2019 $ uname -r 5.3.6-200.fc30.x86_64 Note, I can see same behaviour also with JDK-11: $ java -version java version "11.0.1" 2018-10-16 LTS Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS) Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)

Steps to Reproduce:
Hide

start the server

$ ./wildfly/bin/standalone.sh

in WildFly CLI configure OpenSSL security provider

/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)

and restrict enabled protocols to just TLS 1.0

/core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=enabled-protocols,value=["TLSv1"]

now reload the server to make configuration changes take effect

reload

in new shell, perform HTTP request against server and check what TLS version is utilized

$ curl -k -vvv https://127.0.0.1:8443 > /dev/null

In my case, I can see that TLSv1.2 is being utilized for the connection.

$ curl -k -vvv https://127.0.0.1:8443 > /dev/null * Trying 127.0.0.1:8443... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [108 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [694 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [300 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=localhost * start date: Oct 30 09:07:52 2019 GMT * expire date: Oct 27 09:07:52 2029 GMT * issuer: CN=localhost * SSL certificate verify result: self signed certificate (18), continuing anyway. } [5 bytes data] > GET / HTTP/1.1 > Host: 127.0.0.1:8443 > User-Agent: curl/7.65.3 > Accept: */* > { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Connection: keep-alive < Last-Modified: Thu, 03 Oct 2019 07:37:54 GMT < Content-Length: 1504 < Content-Type: text/html < Accept-Ranges: bytes < Date: Wed, 30 Oct 2019 09:09:38 GMT < { [5 bytes data] 100 1504 100 1504 0 0 94000 0 --:--:-- --:--:-- --:--:-- 94000 * Connection #0 to host 127.0.0.1 left intact
Show
start the server $ ./wildfly/bin/standalone.sh in WildFly CLI configure OpenSSL security provider /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) and restrict enabled protocols to just TLS 1.0 /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=enabled-protocols,value=[ "TLSv1" ] now reload the server to make configuration changes take effect reload in new shell, perform HTTP request against server and check what TLS version is utilized $ curl -k -vvv https: //127.0.0.1:8443 > /dev/ null In my case, I can see that TLSv1.2 is being utilized for the connection. $ curl -k -vvv https: //127.0.0.1:8443 > /dev/ null * Trying 127.0.0.1:8443... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [108 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [694 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [300 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=localhost * start date: Oct 30 09:07:52 2019 GMT * expire date: Oct 27 09:07:52 2029 GMT * issuer: CN=localhost * SSL certificate verify result: self signed certificate (18), continuing anyway. } [5 bytes data] > GET / HTTP/1.1 > Host: 127.0.0.1:8443 > User-Agent: curl/7.65.3 > Accept: */* > { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Connection: keep-alive < Last-Modified: Thu, 03 Oct 2019 07:37:54 GMT < Content-Length: 1504 < Content-Type: text/html < Accept-Ranges: bytes < Date: Wed, 30 Oct 2019 09:09:38 GMT < { [5 bytes data] 100 1504 100 1504 0 0 94000 0 --:--:-- --:--:-- --:--:-- 94000 * Connection #0 to host 127.0.0.1 left intact

The 'enabled-protocols' attribute in legacy security seems not to be working if 'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS' value is in use, it is working just fine, although not in case 'openssl.TLS'. See more info in reproduction steps.

is incorporated by

WFCORE-4878 Upgrade WildFly OpenSSL to 1.0.10.Final

Closed

is related to

JBEAP-17893 TLSv1.3 via wildfly-openssl discrepancy between JBoss EAP and WildFly

Closed

relates to

JBEAP-14270 [GSS] (7.2.z) HTTP/2 with openssl library not working for openssl.TLSv1 or openssl.TLSv1.1

Closed

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates