Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5145

Elytron server-ssl-context allowed protocols

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 16.0.0.Beta5, 16.0.0.Final
    • Component/s: None
    • Labels:
      None

      Description

      When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the following exception is logged:

        
      javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled

      As I understand, SSLv2Hello is used in older JDK versions for the initial handshake message where the SSL version that will be used for the rest of the handshake is negotiated.

      It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to not being a valid value:

       [standalone@localhost:9990 /] /subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols, value=SSLv2Hello, index=0)
      {
       "outcome" => "failed",
       "failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for protocols; legal values are [\"SSLv2\", \"SSLv3\", \"TLSv1\", \"TLSv1.1\", \"TLSv1.2\", \"TLSv1.3\"]",
       "rolled-back" => true
      }

      According to the undertow read-resource-description below, when server-ssl-context is  configured in the Elytron subsystem, protocols must be defined in the server-ssl-context and not in the https connector in Undertow ("Where an SSLContext is references it should be configured with the supported protocols."):

       /subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)...
      "enabled-protocols" => {
                      "type" => STRING,
                      "description" => "Configures SSL protocols",
                      "expressions-allowed" => true,
                      "required" => false,
                      "nillable" => true,
                      "alternatives" => ["ssl-context"],
                      "min-length" => 1L,
                      "max-length" => 2147483647L,
                      "deprecated" => {
                          "since" => "4.0.0",
                          "reason" => "Where an SSLContext is references it should be configured with the supported protocols."
                      },
                      "access-type" => "read-write",
                      "storage" => "configuration",
                      "restart-required" => "all-services"
                  },
      ...

      It is possible to add SSLv2Hello to the https connector in Undertow with legacy security as per.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              szaldana Sonia Zaldana
              Reporter:
              szaldana Sonia Zaldana
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: