Bug 1019375

Summary: SSL Protocols Options are wrong / do not match JSSE defaults.
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Eric Rich <erich>
Component: DocumentationAssignee: Joshua Wulf <jwulf>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1.1CC: cdolphy, fbogyai, jwulf, lcarlon, rhatlapa, twells
Target Milestone: GAKeywords: Documentation
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build: CSProcessor Builder Version 1.12 Build Name: 19235, Security Guide-6.1-1 Build Date: 05-09-2013 10:48:22 Topic ID: 9038-496418 [Specified]
Last Closed: 2014-08-06 14:35:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eric Rich 2013-10-15 15:10:31 UTC 
Title: SSL Connector Reference

Describe the issue:
The options listed in the 'protocol' section of the document do not match what the default JVM options are. 

    SSLv2, SSLv3, TLSv1, SSLv2+SSLv3, and ALL. The default is ALL.

Suggestions for improvement:

Under Oracle 1.7 JVM  with just the SunJSSE provider the valid values are: [0]
    SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello 

Our documentation says the following are supported:
    SSLv2, SSLv3, TLSv1, SSLv2+SSLv3 and ALL.

However, under Java 1.7 JSSE here's what those values do:

SSLv2 -- default which is all the protocols, but NOT SSL v2 since that is not supported
SSLv3 -- Works as expected
TLSv1 -- Works as expected (only get TLSv1)
SSLv2+SSLv3 -- default which is all the protocols, but NOT SSL v2 since that is not supported
ALL -- Works as expected (somewhat).  Gives the default which is all the protocols, but NOT SSL v2 since that is not supported

Also, keep in mind the actual valid values are from the JSSE provider and any combination separated by commas.

Additional information:

[0] http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

SSLv2Hello isn't SSLv2 .. it's just a backwards compatible hello
Comment 1 Chris Dolphy 2013-10-15 15:15:08 UTC 
I think the important thing to mention is that protocol is passed along to the underlying implementation (either JSSE or OpenSSL) and the valid values depend on those implementations.
Comment 2 Joshua Wulf 2014-07-21 06:47:20 UTC 
Fixed: http://docbuilder.usersys.redhat.com/22820/#SSL_Connector_Reference1
Comment 3 FIlip Bogyai 2014-07-22 13:16:13 UTC 
Verified in Revision 6.3.0-37