1019375 – SSL Protocols Options are wrong / do not match JSSE defaults.

Bug 1019375 - SSL Protocols Options are wrong / do not match JSSE defaults.

Summary: SSL Protocols Options are wrong / do not match JSSE defaults.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Documentation
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	GA
Target Release:	EAP 6.3.0
Assignee:	Joshua Wulf
QA Contact:	Russell Dickenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-15 15:10 UTC by Eric Rich
Modified:	2018-12-03 20:18 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:	Build: CSProcessor Builder Version 1.12 Build Name: 19235, Security Guide-6.1-1 Build Date: 05-09-2013 10:48:22 Topic ID: 9038-496418 [Specified]
Last Closed:	2014-08-06 14:35:18 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1121688	0	unspecified	CLOSED	Setting invalid protocol names in ssl configuration isn't shown to the user and is automatically changed to default valu...	2021-02-22 00:41:40 UTC

Internal Links: 1121688

Description Eric Rich 2013-10-15 15:10:31 UTC

Title: SSL Connector Reference

Describe the issue:
The options listed in the 'protocol' section of the document do not match what the default JVM options are. 

    SSLv2, SSLv3, TLSv1, SSLv2+SSLv3, and ALL. The default is ALL.

Suggestions for improvement:

Under Oracle 1.7 JVM  with just the SunJSSE provider the valid values are: [0]
    SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello 

Our documentation says the following are supported:
    SSLv2, SSLv3, TLSv1, SSLv2+SSLv3 and ALL.

However, under Java 1.7 JSSE here's what those values do:

SSLv2 -- default which is all the protocols, but NOT SSL v2 since that is not supported
SSLv3 -- Works as expected
TLSv1 -- Works as expected (only get TLSv1)
SSLv2+SSLv3 -- default which is all the protocols, but NOT SSL v2 since that is not supported
ALL -- Works as expected (somewhat).  Gives the default which is all the protocols, but NOT SSL v2 since that is not supported

Also, keep in mind the actual valid values are from the JSSE provider and any combination separated by commas.

Additional information:

[0] http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

SSLv2Hello isn't SSLv2 .. it's just a backwards compatible hello

Comment 1 Chris Dolphy 2013-10-15 15:15:08 UTC

I think the important thing to mention is that protocol is passed along to the underlying implementation (either JSSE or OpenSSL) and the valid values depend on those implementations.

Comment 2 Joshua Wulf 2014-07-21 06:47:20 UTC

Fixed: http://docbuilder.usersys.redhat.com/22820/#SSL_Connector_Reference1

Comment 3 FIlip Bogyai 2014-07-22 13:16:13 UTC

Verified in Revision 6.3.0-37

Note You need to log in before you can comment on or make changes to this bug.