Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1153853 - (6.3.z) Management Interface: SSL configuration does not allow disabling protocols [eap-6.3.z]
(6.3.z) Management Interface: SSL configuration does not allow disabling prot...
Status: CLOSED WONTFIX
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management (Show other bugs)
6.3.2
All Linux
high Severity high
: ---
: ---
Assigned To: jboss-set
Radim Hatlapatka
component:openssl
: Security
Depends On: 1153854
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-16 22:28 EDT by Arun Babu Neelicattu
Modified: 2015-03-09 01:03 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-27 09:48:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Arun Babu Neelicattu 2014-10-16 22:28:54 EDT 
This issue was reported to Product Security by Tom Fonteyne.

The current configuration options exposed for ssl, does not allow for protocols to be excluded.

The following configuration still allows SSLv3:

>                <server-identities>
>                    <ssl protocol="TLSv1">
>                        <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
>                    </ssl>
>                </server-identities>

The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3.

>            <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
>                <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" />
>            </connector>

This ability is important to prevent attacks like POODLE.
Comment 1 Arun Babu Neelicattu 2014-10-16 23:07:30 EDT 
Do note that, when using javax.net.ssl.SSLContext.getInstance("TLSv1"), a white list is not used and if TLSv1 fails or SSLv3 is requested, SSLv3 gets used.

This can be prevented by setting the enabled protocols as per [1, 2].

[1] http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLEngine.html#setEnabledProtocols(java.lang.String[])
[2] http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
Comment 3 Arun Babu Neelicattu 2014-10-18 01:07:23 EDT 
POODLE mitigation for customers is detailed in section "EAP 6 Management Interfaces" of [1].

[1] https://access.redhat.com/solutions/1232233
Comment 6 Dave Horowitz 2014-10-27 09:56:22 EDT 
What is the thinking behind closing this as won't fix?  The https management interface will not allow one to disable SSLv3.  Setting TLSv1 does not exclude SSLv3.  The work-arouns, using stunnel per the documentation, is a work-around.  It does not resolve the root issue.  In the case of my application, I don't have control of running stunnel.
Comment 8 sakkanan 2014-12-15 18:04:07 EST 
We are using Wildfly 8.0 server with management interface. As the issue description says we are not able to disable SSLv3. And stunnel is not an option for us. Since this issue is closed as 'CLOSED WONTFIX', is it something else can be done to disable SSLv3
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.