Uploaded image for project: 'WildFly WIP'
  1. WildFly WIP
  2. WFWIP-339

OpenSSL security provider seems to be used when not defined with JDK8 now

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • Security
    • None
    • Hide
      1. build server from relevant sources based on the work of EAP7-1414: 
        https://github.com/wildfly-security/wildfly-openssl-natives/pull/1
https://github.com/wildfly-security/wildfly-openssl/pull/81
https://github.com/undertow-io/undertow/commit/818bfe3979cf9001660ee50718df67837a42790d (current master)
https://github.com/wildfly/wildfly-core/commit/346e1b30e1f58ec1fe5805eb2c59ff4bf5d65dc9 (current master)
https://github.com/wildfly/wildfly/commits/master (current master)
      2. copy `server.jks`, `client.jks` and `standalone-full.xml` files into the `EAP_HOME/standalone/configuration` directory
      3. start server 
        JAVA_HOME=<path_to_jdk8> ./bin/standalone.sh -c standalone-full.xml

         # see relevant `WFOPENSSL0002` message is present during the server boot

      Show
      build server from relevant sources based on the work of EAP7-1414: https: //github.com/wildfly-security/wildfly-openssl-natives/pull/1 https: //github.com/wildfly-security/wildfly-openssl/pull/81 https: //github.com/undertow-io/undertow/commit/818bfe3979cf9001660ee50718df67837a42790d (current master) https: //github.com/wildfly/wildfly-core/commit/346e1b30e1f58ec1fe5805eb2c59ff4bf5d65dc9 (current master) https: //github.com/wildfly/wildfly/commits/master (current master) copy `server.jks`, `client.jks` and `standalone-full.xml` files into the `EAP_HOME/standalone/configuration` directory start server JAVA_HOME=<path_to_jdk8> ./bin/standalone.sh -c standalone-full.xml  # see relevant `WFOPENSSL0002` message is present during the server boot

    Description

      It looks like the OpenSSL security provider is now used as a default when I configure reverse-proxy feature on the server. Not sure what is the root-cause for this change of behavior. I also see this change of behavior only with JDK8. JDK11 works as expected!

      Attaching relevant configuration. There can be also seen that during the startup, relevant log message about OpenSSL provider is logged during the server boot, e.g.:

      16:44:42,676 INFO [org.wildfly.openssl.SSL] (MSC service thread 1-3) WFOPENSSL0002 OpenSSL Version OpenSSL 1.0.2h-fips 3 May 2016

      This INFO message starts to occur in the server log since 'server-ssl-context' or 'client-ssl-contexts' are added into the server configuration and server is started with JDK8:

      <server-ssl-contexts>
    <server-ssl-context name="server-ssl-context" need-client-auth="true" key-manager="server-ssl-contextKM" trust-manager="server-ssl-contextTM"/>
</server-ssl-contexts>
<client-ssl-contexts>
    <client-ssl-context name="proxy-ssl-context" key-manager="proxy-ssl-contextKM" trust-manager="proxy-ssl-contextTM"/>
</client-ssl-contexts>

      There are two questions from this:

      1. Is this change of OpenSSL provider being initialized during the boot in this configuration case expected?
      2. I believe that even in case that answer to question above is `yes`, then we should not change default security provider, which in this case it should be JSSE. Not to mention that we don't want to behave differently for JDK8 and JDK11.

      Hope I don't have any misconfiguration in the configuration itself.

      Attachments

        1. client.jks
          3 kB
        2. server.jks
          3 kB
        3. standalone-full.xml
          38 kB

        Activity

          People

            fjuma1@redhat.com Farah Juma
            jstourac@redhat.com Jan Stourac
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: