Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7301

Elytron introduces SSL/TLS protocol constraints

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 11.0.0.Alpha1
    • None
    • Security
    • None

                             "protocols" => {
                                  "type" => LIST,
                                  "description" => "The enabled protocols.",
                                  "expressions-allowed" => true,
                                  "nillable" => false,
                                  "allowed" => [
                                      "SSLv2",
                                      "SSLv3",
                                      "TLSv1",
                                      "TLSv1_1",
                                      "TLSv1_2",
                                      "TLSv1_3"
                                  ],
                                  "value-type" => STRING,
                                  "access-type" => "read-write",
                                  "storage" => "configuration",
                                  "restart-required" => "resource-services"
                              },
      

      Why elytron on this place is going to validate user input and map standard java values [1] into proprietary values?
      Whereas on other similar places (KeyManager algorithm, TrustManager algorithm, Keystore types) it leaves up to user to set proper value.
      IMO, with such mapping another place, where bugs can raise was introduced. EAP will be here always one step back compared to java.

      Note, IBM java already today defines little bit different protocols set [2]

      I wonder, where is that mapping "TLSv1_2 -> TLSv1.2" acually performed? I couldn't find that place.

      [1] https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
      [2] http://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/protocols.html

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: