Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-11640

NPE with wildfly-openssl using OpenSSL 1.1.1a

    XMLWordPrintable

Details

    • Hide
      1. start eap with path to OpenSSL 1.1.1a, e.g.: 
        ./bin/standalone.sh -Dorg.wildfly.openssl.path=/tmp/openssl-1.1.1a/
      2. configure tls provider via CLI: 
        /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLSv1.2)
reload
      3. see NPE during ciphers initialization in server.log
      4. perform request to server, e.g. curl -k https://localhost:8443 and see another NPE
      Show
      start eap with path to OpenSSL 1.1.1a, e.g.: ./bin/standalone.sh -Dorg.wildfly.openssl.path=/tmp/openssl-1.1.1a/ configure tls provider via CLI: /core-service=management/security-realm=ApplicationRealm/server-identity=ssl:write-attribute(name=protocol,value=openssl.TLSv1.2) reload see NPE during ciphers initialization in server.log perform request to server, e.g. curl -k https://localhost:8443 and see another NPE

    Description

      It is impossible to use wildfly-openssl binding with OpenSSL 1.1.1a (RHEL8 uses 1.1.1 at the moment but there seems to be same issue). There is an NPE during the ciphersuites initialization:

      9:10:58,330 WARNING [org.wildfly.openssl.OpenSSLContextSPI] (MSC service thread 1-3) WFOPENSSL0014 Failed to initialize ciphers: java.lang.NullPointerException
	at org.wildfly.openssl.CipherSuiteConverter.toJava(CipherSuiteConverter.java:284)
	at org.wildfly.openssl.OpenSSLContextSPI.getAvailableCipherSuites(OpenSSLContextSPI.java:109)
	at org.wildfly.openssl.OpenSSLEngine.getSupportedCipherSuites(OpenSSLEngine.java:711)
	at org.wildfly.openssl.OpenSSLSocket.getSupportedCipherSuites(OpenSSLSocket.java:163)
	at javax.net.ssl.SSLContextSpi.engineGetSupportedSSLParameters(SSLContextSpi.java:194)
	at javax.net.ssl.SSLContext.getSupportedSSLParameters(SSLContext.java:436)
	at org.jboss.as.domain.management.security.SSLContextService.wrapSslContext(SSLContextService.java:116)
	at org.jboss.as.domain.management.security.SSLContextService.start(SSLContextService.java:102)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
	at java.lang.Thread.run(Thread.java:748)

      and then there is NPE during the request itself:

      19:12:18,417 ERROR [org.xnio.listener] (default I/O-2) XNIO001007: A channel event listener threw an exception: java.lang.NullPointerException
	at org.wildfly.openssl.CipherSuiteConverter.toJava(CipherSuiteConverter.java:284)
	at org.wildfly.openssl.OpenSSLEngine.toJavaCipherSuite(OpenSSLEngine.java:1094)
	at org.wildfly.openssl.OpenSSLEngine.getEnabledCipherSuites(OpenSSLEngine.java:729)
	at org.wildfly.openssl.OpenSSLContextSPI.getCiphers(OpenSSLContextSPI.java:339)
	at org.wildfly.openssl.OpenSSLEngine.getEnabledCipherSuites(OpenSSLEngine.java:720)
	at io.undertow.server.protocol.http.AlpnOpenListener.engineSupportsHTTP2(AlpnOpenListener.java:324)
	at io.undertow.server.protocol.http.AlpnOpenListener$1.apply(AlpnOpenListener.java:239)
	at io.undertow.server.protocol.http.AlpnOpenListener$1.apply(AlpnOpenListener.java:235)
	at io.undertow.server.protocol.http.AlpnOpenListener$SSLConduitUpdater.apply(AlpnOpenListener.java:430)
	at io.undertow.server.protocol.http.AlpnOpenListener$SSLConduitUpdater.apply(AlpnOpenListener.java:419)
	at io.undertow.protocols.alpn.DefaultAlpnEngineManager.registerEngine(DefaultAlpnEngineManager.java:31)
	at io.undertow.protocols.alpn.ALPNManager.registerEngineCallback(ALPNManager.java:80)
	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:235)
	at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:64)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
	at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:131)
	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)

      Looking briefly into it, the cipher that is trying to be used is TLS_AES_256_GCM_SHA384. It is interesting that this cipher has underscores '_' in its name instead of hyphens '-' as most of the openssl ciphers have. Looks like these were added in the sake of TLSv1.3, see here.

      Attachments

        Issue Links

          is caused by

          Bug - A problem that impairs or prevents the functions of the product. WFSSL-10 NPE with wildfly-openssl using OpenSSL 1.1.1a

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-16425 (7.2.z) WFLY-11640 - WFSSL-10 - NPE with wildfly-openssl using OpenSSL 1.1.1a

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              rhn-support-iweiss Ingo Weiss
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: