Bug 1153854

Summary: Management Interface: SSL configuration does not allow disabling protocols [6.4.0]
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Arun Babu Neelicattu <aneelica>
Component: Domain Management, SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Slavicek <pslavice>
Severity: high Docs Contact:
Priority: high    
Version: 6.4.0CC: brian.stansberry, cdewolf, dandread, darran.lofthouse, grocha, jason.greene, jawilson, jkurik, jstefl, lgao, mturk, myarboro, pgier, pkremens, pslavice, rsvoboda, vtunka
Target Milestone: DR8Keywords: Security
Target Release: EAP 6.4.0   
Hardware: All   
OS: Linux   
Whiteboard: component:openssl
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, it was found that while it was possible to specify the protocol to request when creating the SSLContext when configuring security realms to supply a SSLContext it was not possible to specify the protocols or cipher suites to be supported on the underlying SSLEngine. This meant that it was not possible to select a strong set of protocols and cipher suites to be used for SSL connections. In this release users are now able to specify a set of enabled protocols and cipher suites within the security realm definition. These will be matched against the supported protocols and cipher suites to configure the underlying SSLEngine. In addition, the enabled protocols will be TLSv1, TLSv1.1 and TLSv1.2 by default if no configuration is specified. SSLv3 and earlier is no longer enabled by default and it is possible for the protocols and cipher suites to be configured further.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:44:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1155532    
Bug Blocks: 1153853    

Description Arun Babu Neelicattu 2014-10-17 02:30:37 UTC 
+++ This bug was initially created as a clone of Bug #1153853 +++

This issue was reported to Product Security by Tom Fonteyne.

The current configuration options exposed for ssl, does not allow for protocols to be excluded.

The following configuration still allows SSLv3:

>                <server-identities>
>                    <ssl protocol="TLSv1">
>                        <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
>                    </ssl>
>                </server-identities>

The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3.

>            <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
>                <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" />
>            </connector>

This ability is important to prevent attacks like POODLE.
Comment 8 Rostislav Svoboda 2014-10-21 12:33:55 UTC 
QE ACK granted
Comment 12 Radim Hatlapatka 2014-11-10 17:12:06 UTC 
Verified with EAP 6.4.0.DR8