Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-11669

iiop-openjdk ignores cipher-suite-filter with openssl provider

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 15.0.0.Final, 15.0.1.Final
    • Fix Version/s: None
    • Component/s: IIOP
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Use elytron to configure openssl provider as per provided xml excerpt so as to configure SSLIOP service provided by iiop-openjdk.

      Show
      Use elytron to configure openssl provider as per provided xml excerpt so as to configure SSLIOP service provided by iiop-openjdk.

      Description

      When using the "openssl" provider, the cipher-suite-filter is respected by undertow, but ignored by iiop-openjdk (modified standalone-full.xml):

                      <server-ssl-contexts>  
                          <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/>  
                      </server-ssl-contexts>  
                      <client-ssl-contexts>  
                          <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>  
                      </client-ssl-contexts>  
                  </tls>  
              </subsystem>  
              <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">  
                  <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/>  
                  <initializers security="identity" transactions="spec"/>  
                  <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/>  
                  <interop iona="true"/>  
              </subsystem>  
      

      See also:

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                tomekadamski Tomasz Adamski
                Reporter:
                david.everly David Everly
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: