Bug 1277389 - Default values for secure-socket-protocol parameters in rhq-server.properties and standalone-full.xml need updated to a valid protocol
Default values for secure-socket-protocol parameters in rhq-server.properties...
Product: JBoss Operations Network
Classification: JBoss
Component: Configuration (Show other bugs)
JON 3.3.4
Unspecified Unspecified
urgent Severity urgent
: ER01
: JON 3.3.5
Assigned To: Simeon Pinder
: Regression, Triaged
Depends On: 1277391
  Show dependency treegraph
Reported: 2015-11-03 03:46 EST by bkramer
Modified: 2016-10-31 21:42 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-03 10:03:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2039343 None None None 2016-01-28 17:22 EST

  None (edit)
Description bkramer 2015-11-03 03:46:44 EST
Description of problem:

Currently, security.secure-socket-protocol parameters from rhq-server.properties file are set as:

    ** rhq.server.client.security.secure-socket-protocol=TLS
    ** rhq.communications.connector.security.secure-socket-protocol=TLS
    ** rhq.server.tomcat.security.secure-socket-protocol=TLS

This worked fine in all versions until JBoss ON 3.3.4. However, in JBoss ON 3.3.4, protocol without version is not accepted any more. 

So, above "TLS" value should be replaced with "TLSv1,TLSv1.1,TLSv1.2".

Version-Release number of selected component (if applicable):
JBoss ON 3.3.4

How reproducible:

Steps to Reproduce:
1. Install JBoss ON 3.3.0;
2. Try to navigate to https://<jon-server-ip>:7443 and confirm that this works fine;
3. Upgrade to JBoss ON 3.3.4
4. Navigate to https://<jon-server-ip>:7443 and confirm that this failed.

Actual results:
Attempt to log in using https and 7443 port fails and on Firefox the following error is shown ssl_error_no_cypher_overlap. The same attempt on Chrome fails with ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.

Expected results:
No error is thrown and attempt to log in using https and 7443 works fine.

Additional info:
Comment 1 Larry O'Leary 2015-11-03 10:15:13 EST
Please note that the actual defaults are defined in standalone-full.xml provided by the JBoss ON server installer. The defaults in standalone-full.xml need to be updated.

In addition, the values are also explicitly re-set in the default rhq-server.properties file. Therefore, the explicit settings need updated as well.
Comment 2 Michael Burman 2015-11-04 07:26:26 EST
Simeon, is this standalone-full.xml coming from productization EAP 6.4 part?
Comment 9 Simeon Pinder 2015-12-09 01:29:19 EST
Moving to ON_QA as available to test with the following brew build:

JON Cumulative patch build: https://brewweb.devel.redhat.com/buildinfo?buildID=469635
  *Note: jon-server-patch-3.3.0.GA.zip maps to DR01 build of jon-server-3.3.0.GA-update-05.zip.
Comment 10 vsorokin 2015-12-14 17:24:38 EST
Reproduced in steps with parameters:

unzipped from jon-server-3.3.0.GA.zip
(edit by hands)
<entry key="rhq.communications.connector.transport" value="sslsocket" />
<entry key="rhq.agent.server.transport" value="sslservlet" />
<entry key="rhq.agent.server.bind-port" value="7443" />
bin/rhqctl.sh install --start
bin/rhqctl.sh status
first check of
bin/rhqctl.sh stop
unzip from jon-server-patch-3.3.0.GA.zip -> jon-server-3.3.0.GA-update-05/
apply-updates.sh <path-to-jon-3.3.0>
second check of

BINGO: No error is thrown and attempt to log in using https and 7443 works fine.

Comment 12 errata-xmlrpc 2016-02-03 10:03:28 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.