Bug 1302151

Summary: [GSS](6.4.z) Windows natives openssl needs to support TLSv1.2
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Robert Bost <rbost>
Component: Web, Apache Server (httpd) and Connectors, Security, opensslAssignee: Jean-frederic Clere <jclere>
Status: CLOSED CURRENTRELEASE QA Contact: Ivo Hradek <ihradek>
Severity: high Docs Contact:
Priority: high    
Version: 6.4.0CC: bmaxwell, jclere, joarcher, mbabacek, rmaucher, rmody, vtunka, weli
Target Milestone: DR1   
Target Release: EAP 6.4.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 14:48:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1340911    
Bug Blocks:    

Description Robert Bost 2016-01-26 23:10:04 UTC 
Description of problem: The openssl.exe included in JBoss EAP Windows natives does not support TLSv1.2. We need to support the latest version of tls protocol. 


Version-Release number of selected component (if applicable): 6.4.0


Additional info:
PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers TLSv1.2
Error in cipher list
2656:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:.\ssl\ssl_ciph.c:836:

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers TLSv1
ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES
128-SHA:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DE
S-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:DES-CBC3-SHA:DES-CBC-
SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:RC4-SHA:RC4-MD5:EXP-RC4-MD5:NULL-SHA:NULL-MD5
Comment 1 Robert Bost 2016-01-27 15:45:44 UTC 
Setting high severity/priority. OpenSSL dropped support for 0.9.8 on Dec 31st, 2015. 

https://www.openssl.org/policies/releasestrat.html:
"Support for version 0.9.8 will cease on 2015-12-31. No further releases of 0.9.8 will be made after that date. Security fixes only will be applied to 0.9.8 until then."
Comment 2 Vaclav Tunka 2016-01-28 12:19:15 UTC 
Moving this Jean-Frederic's way, as SET team does not handle native compoennts.
Comment 19 Michal Karm Babacek 2016-08-08 16:34:51 UTC 
OpenSSL 1.0.2h supports TLS 1.2, so this could be probably trivially verified. Leaving it to Martin who executed EAP 6 Ciphers test suite.
Comment 20 Ivo Hradek 2016-08-11 15:30:36 UTC 
Verified for TLSv1.2
Comment 21 john archer 2016-08-22 17:49:53 UTC 
Would this work for natives on Windows as well then?  When could a customer receive this version that would provide TLS 1.2?
Comment 27 Petr Penicka 2017-01-17 14:48:22 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.