1153854 – Management Interface: SSL configuration does not allow disabling protocols [6.4.0]

Bug 1153854 - Management Interface: SSL configuration does not allow disabling protocols [6.4.0]

Summary: Management Interface: SSL configuration does not allow disabling protocols [6...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management, Security
Sub Component:
Version:	6.4.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	DR8
Target Release:	EAP 6.4.0
Assignee:	Darran Lofthouse
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:	component:openssl
Depends On:	1155532
Blocks:	1153853
TreeView+	depends on / blocked

Reported:	2014-10-17 02:30 UTC by Arun Babu Neelicattu
Modified:	2019-07-11 08:16 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-10 11:44:09 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFCORE-180	Critical	Resolved	Add attribute to specify enabled-protocols for HTTPS within domain management.	2019-06-10 11:43:40 UTC
Red Hat Issue Tracker	WFCORE-182	Major	Resolved	provide means to specify allowed ciphers for management https or change default to exclude weak ciphers	2019-06-10 11:43:40 UTC
Red Hat Issue Tracker	WFLY-3993	Critical	Closed	Add attribute to specify enabled-protocols for HTTPS within domain management.	2019-06-10 11:43:40 UTC
Red Hat Issue Tracker	WFLY-3998	Major	Closed	Add option to define enabled cipher suites within SSL definitions in security realms.	2019-06-10 11:43:40 UTC

Description Arun Babu Neelicattu 2014-10-17 02:30:37 UTC

+++ This bug was initially created as a clone of Bug #1153853 +++

This issue was reported to Product Security by Tom Fonteyne.

The current configuration options exposed for ssl, does not allow for protocols to be excluded.

The following configuration still allows SSLv3:

>                <server-identities>
>                    <ssl protocol="TLSv1">
>                        <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />
>                    </ssl>
>                </server-identities>

The behavior of this field should be similar to that of the connector configuration, which if set to the following disables SSlv3.

>            <connector name="https" scheme="https" protocol="HTTP/1.1" socket-binding="https" enable-lookups="false" secure="true">
>                <ssl name="https" password="secret" protocol="TLSv1,TLSv1.1,TLSv1.2" key-alias="https" certificate-key-file="https.keystore" />
>            </connector>

This ability is important to prevent attacks like POODLE.

Comment 8 Rostislav Svoboda 2014-10-21 12:33:55 UTC

QE ACK granted

Comment 12 Radim Hatlapatka 2014-11-10 17:12:06 UTC

Verified with EAP 6.4.0.DR8

Note You need to log in before you can comment on or make changes to this bug.