Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5145

Elytron server-ssl-context allowed protocols

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • 16.0.0.Beta5, 16.0.0.Final
    • None
    • None
    • None

      When JBoss EAP 7.2.7 is connecting to a third party client that is running on JDK 6 the following exception is logged:

        
      javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled

      As I understand, SSLv2Hello is used in older JDK versions for the initial handshake message where the SSL version that will be used for the rest of the handshake is negotiated.

      It is not possible to add SSLv2Hello to the list of protocols in server-ssl-context due to not being a valid value:

       [standalone@localhost:9990 /] /subsystem=elytron/server-ssl-context=my-ssl-context:list-add(name=protocols, value=SSLv2Hello, index=0)
      {
       "outcome" => "failed",
       "failure-description" => "WFLYCTL0129: Invalid value SSLv2Hello for protocols; legal values are [\"SSLv2\", \"SSLv3\", \"TLSv1\", \"TLSv1.1\", \"TLSv1.2\", \"TLSv1.3\"]",
       "rolled-back" => true
      }

      According to the undertow read-resource-description below, when server-ssl-context is  configured in the Elytron subsystem, protocols must be defined in the server-ssl-context and not in the https connector in Undertow ("Where an SSLContext is references it should be configured with the supported protocols."):

       /subsystem=undertow/server=default-server/https-listener=https/:read-resource-description(inherited=false,recursive=true,access-control=none)...
      "enabled-protocols" => {
                      "type" => STRING,
                      "description" => "Configures SSL protocols",
                      "expressions-allowed" => true,
                      "required" => false,
                      "nillable" => true,
                      "alternatives" => ["ssl-context"],
                      "min-length" => 1L,
                      "max-length" => 2147483647L,
                      "deprecated" => {
                          "since" => "4.0.0",
                          "reason" => "Where an SSLContext is references it should be configured with the supported protocols."
                      },
                      "access-type" => "read-write",
                      "storage" => "configuration",
                      "restart-required" => "all-services"
                  },
      ...

      It is possible to add SSLv2Hello to the https connector in Undertow with legacy security as per.

              rh-ee-szaldana Sonia Zaldana Calles
              rh-ee-szaldana Sonia Zaldana Calles
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: