Bug 1153854 - Management Interface: SSL configuration does not allow disabling protocols [6.4.0]
Summary: Management Interface: SSL configuration does not allow disabling protocols [6...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management, Security
Version: 6.4.0
Hardware: All
OS: Linux
high
high
Target Milestone: DR8
: EAP 6.4.0
Assignee: Darran Lofthouse
QA Contact: Pavel Slavicek
URL:
Whiteboard: component:openssl
Depends On: 1155532
Blocks: 1153853
TreeView+ depends on / blocked
 
Reported: 2014-10-17 02:30 UTC by Arun Babu Neelicattu
Modified: 2019-07-11 08:16 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, it was found that while it was possible to specify the protocol to request when creating the SSLContext when configuring security realms to supply a SSLContext it was not possible to specify the protocols or cipher suites to be supported on the underlying SSLEngine. This meant that it was not possible to select a strong set of protocols and cipher suites to be used for SSL connections. In this release users are now able to specify a set of enabled protocols and cipher suites within the security realm definition. These will be matched against the supported protocols and cipher suites to configure the underlying SSLEngine. In addition, the enabled protocols will be TLSv1, TLSv1.1 and TLSv1.2 by default if no configuration is specified. SSLv3 and earlier is no longer enabled by default and it is possible for the protocols and cipher suites to be configured further.
Clone Of:
Environment:
Last Closed: 2019-06-10 11:44:09 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFCORE-180 0 Critical Resolved Add attribute to specify enabled-protocols for HTTPS within domain management. 2019-06-10 11:43:40 UTC
Red Hat Issue Tracker WFCORE-182 0 Major Resolved provide means to specify allowed ciphers for management https or change default to exclude weak ciphers 2019-06-10 11:43:40 UTC
Red Hat Issue Tracker WFLY-3993 0 Critical Closed Add attribute to specify enabled-protocols for HTTPS within domain management. 2019-06-10 11:43:40 UTC
Red Hat Issue Tracker WFLY-3998 0 Major Closed Add option to define enabled cipher suites within SSL definitions in security realms. 2019-06-10 11:43:40 UTC

Description Arun Babu Neelicattu 2014-10-17 02:30:37 UTC 
+++ This bug was initially created as a clone of Bug #1153853 +++

This issue was reported to Product Security by Tom Fonteyne.

The current configuration options exposed for ssl, does not allow for protocols to be excluded.

The following configuration still allows SSLv3:

>                <server-identities>
>                    <ssl protocol="TLSv1">
>                        <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
>                    </ssl>
>                </server-identities>

The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3.

>            <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
>                <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" />
>            </connector>

This ability is important to prevent attacks like POODLE.
Comment 8 Rostislav Svoboda 2014-10-21 12:33:55 UTC 
QE ACK granted
Comment 12 Radim Hatlapatka 2014-11-10 17:12:06 UTC 
Verified with EAP 6.4.0.DR8
Note You need to log in before you can comment on or make changes to this bug.