Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4737

CVE-2019-14887 The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use

    XMLWordPrintable

Details

    • Hide
      1. start the server 
        $ ./wildfly/bin/standalone.sh
      2. in WildFly CLI configure OpenSSL security provider 
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS)
      3. and restrict enabled protocols to just TLS 1.0 
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=enabled-protocols,value=["TLSv1"]
      4. now reload the server to make configuration changes take effect 
        reload
      5. in new shell, perform HTTP request against server and check what TLS version is utilized 
        $ curl -k -vvv https://127.0.0.1:8443 > /dev/null

      In my case, I can see that TLSv1.2 is being utilized for the connection.

      $ curl -k -vvv https://127.0.0.1:8443 > /dev/null
*   Trying 127.0.0.1:8443...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [694 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=localhost
*  start date: Oct 30 09:07:52 2019 GMT
*  expire date: Oct 27 09:07:52 2029 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
} [5 bytes data]
> GET / HTTP/1.1
> Host: 127.0.0.1:8443
> User-Agent: curl/7.65.3
> Accept: */*
> 
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Connection: keep-alive
< Last-Modified: Thu, 03 Oct 2019 07:37:54 GMT
< Content-Length: 1504
< Content-Type: text/html
< Accept-Ranges: bytes
< Date: Wed, 30 Oct 2019 09:09:38 GMT
< 
{ [5 bytes data]
100  1504  100  1504    0     0  94000      0 --:--:-- --:--:-- --:--:-- 94000
* Connection #0 to host 127.0.0.1 left intact
      Show
      start the server $ ./wildfly/bin/standalone.sh in WildFly CLI configure OpenSSL security provider /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLS) and restrict enabled protocols to just TLS 1.0 /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=enabled-protocols,value=[ "TLSv1" ] now reload the server to make configuration changes take effect reload in new shell, perform HTTP request against server and check what TLS version is utilized $ curl -k -vvv https: //127.0.0.1:8443 > /dev/ null In my case, I can see that TLSv1.2 is being utilized for the connection. $ curl -k -vvv https: //127.0.0.1:8443 > /dev/ null * Trying 127.0.0.1:8443... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [108 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [694 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [300 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=localhost * start date: Oct 30 09:07:52 2019 GMT * expire date: Oct 27 09:07:52 2029 GMT * issuer: CN=localhost * SSL certificate verify result: self signed certificate (18), continuing anyway. } [5 bytes data] > GET / HTTP/1.1 > Host: 127.0.0.1:8443 > User-Agent: curl/7.65.3 > Accept: */* > { [5 bytes data] * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Connection: keep-alive < Last-Modified: Thu, 03 Oct 2019 07:37:54 GMT < Content-Length: 1504 < Content-Type: text/html < Accept-Ranges: bytes < Date: Wed, 30 Oct 2019 09:09:38 GMT < { [5 bytes data] 100 1504 100 1504 0 0 94000 0 --:--:-- --:--:-- --:--:-- 94000 * Connection #0 to host 127.0.0.1 left intact

    Description

      The 'enabled-protocols' attribute in legacy security seems not to be working if 'openssl.TLS' provider is in use. If regular JSSE provider with 'TLS' value is in use, it is working just fine, although not in case 'openssl.TLS'. See more info in reproduction steps.

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-4878 Upgrade WildFly OpenSSL to 1.0.10.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-17893 TLSv1.3 via wildfly-openssl discrepancy between JBoss EAP and WildFly

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-14270 [GSS] (7.2.z) HTTP/2 with openssl library not working for openssl.TLSv1 or openssl.TLSv1.1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              fjuma1@redhat.com Farah Juma
              jstourac@redhat.com Jan Stourac
              Carlo de Wolf, Farah Juma, Radovan Stancel
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: