Bug 1153853

Summary: (6.3.z) Management Interface: SSL configuration does not allow disabling protocols [eap-6.3.z]
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Arun Babu Neelicattu <aneelica>
Component: Domain ManagementAssignee: jboss-set
Status: CLOSED WONTFIX QA Contact: Radim Hatlapatka <rhatlapa>
Severity: high Docs Contact:
Priority: high    
Version: 6.3.2CC: aneelica, bbaranow, cdewolf, dandread, darran.lofthouse, david.horowitz, emuckenh, grocha, jason.greene, jawilson, jstefl, krathod, lgao, mmiura, mturk, myarboro, pgier, pslavice, rsvoboda, s.packiaraj, tfonteyn, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: component:openssl
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-27 13:48:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1153854    
Bug Blocks:    

Description Arun Babu Neelicattu 2014-10-17 02:28:54 UTC 
This issue was reported to Product Security by Tom Fonteyne.

The current configuration options exposed for ssl, does not allow for protocols to be excluded.

The following configuration still allows SSLv3:

>                <server-identities>
>                    <ssl protocol="TLSv1">
>                        <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
>                    </ssl>
>                </server-identities>

The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3.

>            <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
>                <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" />
>            </connector>

This ability is important to prevent attacks like POODLE.
Comment 1 Arun Babu Neelicattu 2014-10-17 03:07:30 UTC 
Do note that, when using javax.net.ssl.SSLContext.getInstance("TLSv1"), a white list is not used and if TLSv1 fails or SSLv3 is requested, SSLv3 gets used.

This can be prevented by setting the enabled protocols as per [1, 2].

[1] http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#setEnabledProtocols(java.lang.String[])
[2] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
Comment 3 Arun Babu Neelicattu 2014-10-18 05:07:23 UTC 
POODLE mitigation for customers is detailed in section "EAP 6 Management Interfaces" of [1].

[1] https://access.redhat.com/solutions/1232233
Comment 6 Dave Horowitz 2014-10-27 13:56:22 UTC 
What is the thinking behind closing this as won't fix?  The https management interface will not allow one to disable SSLv3.  Setting TLSv1 does not exclude SSLv3.  The work-arouns, using stunnel per the documentation, is a work-around.  It does not resolve the root issue.  In the case of my application, I don't have control of running stunnel.
Comment 8 sakkanan 2014-12-15 23:04:07 UTC 
We are using Wildfly 8.0 server with management interface. As the issue description says we are not able to disable SSLv3. And stunnel is not an option for us. Since this issue is closed as 'CLOSED WONTFIX', is it something else can be done to disable SSLv3