Bug 1019375 - SSL Protocols Options are wrong / do not match JSSE defaults.
SSL Protocols Options are wrong / do not match JSSE defaults.
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Documentation (Show other bugs)
6.1.1
Unspecified Unspecified
unspecified Severity unspecified
: GA
: EAP 6.3.0
Assigned To: Joshua Wulf
Russell Dickenson
: Documentation
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-15 11:10 EDT by Eric Rich
Modified: 2014-10-19 19:02 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Build: CSProcessor Builder Version 1.12 Build Name: 19235, Security Guide-6.1-1 Build Date: 05-09-2013 10:48:22 Topic ID: 9038-496418 [Specified]
Last Closed: 2014-08-06 10:35:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Rich 2013-10-15 11:10:31 EDT
Title: SSL Connector Reference

Describe the issue:
The options listed in the 'protocol' section of the document do not match what the default JVM options are. 

    SSLv2, SSLv3, TLSv1, SSLv2+SSLv3, and ALL. The default is ALL.

Suggestions for improvement:

Under Oracle 1.7 JVM  with just the SunJSSE provider the valid values are: [0]
    SSLv3, TLSv1, TLSv1.1, TLSv1.2, SSLv2Hello 

Our documentation says the following are supported:
    SSLv2, SSLv3, TLSv1, SSLv2+SSLv3 and ALL.

However, under Java 1.7 JSSE here's what those values do:

SSLv2 -- default which is all the protocols, but NOT SSL v2 since that is not supported
SSLv3 -- Works as expected
TLSv1 -- Works as expected (only get TLSv1)
SSLv2+SSLv3 -- default which is all the protocols, but NOT SSL v2 since that is not supported
ALL -- Works as expected (somewhat).  Gives the default which is all the protocols, but NOT SSL v2 since that is not supported

Also, keep in mind the actual valid values are from the JSSE provider and any combination separated by commas.

Additional information:

[0] http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

SSLv2Hello isn't SSLv2 .. it's just a backwards compatible hello
Comment 1 Chris Dolphy 2013-10-15 11:15:08 EDT
I think the important thing to mention is that protocol is passed along to the underlying implementation (either JSSE or OpenSSL) and the valid values depend on those implementations.
Comment 3 FIlip Bogyai 2014-07-22 09:16:13 EDT
Verified in Revision 6.3.0-37

Note You need to log in before you can comment on or make changes to this bug.