| Summary: | SSL 3.0 should be disabled by default for Web HTTPS listener | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Ondrej Kotek <okotek> | ||||||
| Component: | Web | Assignee: | jboss-set | ||||||
| Status: | CLOSED EOL | QA Contact: | Ondrej Kotek <okotek> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 6.3.3 | CC: | fgavrilo, rmaucher | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2019-08-19 12:49:36 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 1127570 [details]
OpenSSL test connection log
Created attachment 1127571 [details]
Scanner test log
|
Description of problem: Having added HTTPS connector in Web subsystem with no protocol defined, HTTPS listener enables SSL 3.0 connection. SSL 3.0 is not secure and should be disabled by default (it should be disabled in case it is not set to protocol attribute of HTTPS connector). How reproducible: Run server on Java with SSL 3.0 enabled. Add HTTPS connector to Web subsystem with no protocol defined. Try SSL 3.0 handshake. <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" enabled="true"> <ssl key-alias="javaserver" password="tomcat" certificate-key-file="/path/to/server-cert-key-rsa.jks" verify-client="false" certificate-file="/path/to/server-cert-key-rsa.jks" ca-certificate-file="/path/to/ca-cert.jks"/> </connector> openssl s_client -connect localhost:8443 -msg -debug -state -nbio -ssl3 Actual results: Handshake succeeds. Expected results: Handshake fails. Additional info: All current java versions are disabling SSL 3.0 by default [1,2], but SSL 3.0 can be enabled due to compatibility reasons. In JBoss EAP 6.4, SSL 3.0 is disabled by default. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c60 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c82