Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1153854 - Management Interface: SSL configuration does not allow disabling protocols [6.4.0]
Management Interface: SSL configuration does not allow disabling protocols [6...
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management, Security (Show other bugs)
6.4.0
All Linux
high Severity high
: DR8
: EAP 6.4.0
Assigned To: Darran Lofthouse
Pavel Slavicek
component:openssl
: Security
Depends On: 1155532
Blocks: 1153853
  Show dependency treegraph
 
Reported: 2014-10-16 22:30 EDT by Arun Babu Neelicattu
Modified: 2018-06-07 17:32 EDT (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, it was found that while it was possible to specify the protocol to request when creating the SSLContext when configuring security realms to supply a SSLContext it was not possible to specify the protocols or cipher suites to be supported on the underlying SSLEngine. This meant that it was not possible to select a strong set of protocols and cipher suites to be used for SSL connections. In this release users are now able to specify a set of enabled protocols and cipher suites within the security realm definition. These will be matched against the supported protocols and cipher suites to configure the underlying SSLEngine. In addition, the enabled protocols will be TLSv1, TLSv1.1 and TLSv1.2 by default if no configuration is specified. SSLv3 and earlier is no longer enabled by default and it is possible for the protocols and cipher suites to be configured further.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFCORE-180 Critical Resolved Add attribute to specify enabled-protocols for HTTPS within domain management. 2018-06-18 14:20 EDT
JBoss Issue Tracker WFCORE-182 Major Resolved provide means to specify allowed ciphers for management https or change default to exclude weak ciphers 2018-06-18 14:20 EDT
JBoss Issue Tracker WFLY-3993 Critical Closed Add attribute to specify enabled-protocols for HTTPS within domain management. 2018-06-18 14:20 EDT
JBoss Issue Tracker WFLY-3998 Major Closed Add option to define enabled cipher suites within SSL definitions in security realms. 2018-06-18 14:20 EDT

  None (edit)
Description Arun Babu Neelicattu 2014-10-16 22:30:37 EDT 
+++ This bug was initially created as a clone of Bug #1153853 +++

This issue was reported to Product Security by Tom Fonteyne.

The current configuration options exposed for ssl, does not allow for protocols to be excluded.

The following configuration still allows SSLv3:

>                <server-identities>
>                    <ssl protocol="TLSv1">
>                        <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
>                    </ssl>
>                </server-identities>

The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3.

>            <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
>                <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" />
>            </connector>

This ability is important to prevent attacks like POODLE.
Comment 8 Rostislav Svoboda 2014-10-21 08:33:55 EDT 
QE ACK granted
Comment 12 Radim Hatlapatka 2014-11-10 12:12:06 EST 
Verified with EAP 6.4.0.DR8
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.