Bug 1302151 - [GSS](6.4.z) Windows natives openssl needs to support TLSv1.2
[GSS](6.4.z) Windows natives openssl needs to support TLSv1.2
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web, Apache Server (httpd) and Connectors, Security, openssl (Show other bugs)
Unspecified Unspecified
high Severity high
: DR1
: EAP 6.4.9
Assigned To: Jean-frederic Clere
Ivo Hradek
Depends On: 1340911
  Show dependency treegraph
Reported: 2016-01-26 18:10 EST by Robert Bost
Modified: 2017-01-17 09:48 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-01-17 09:48:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert Bost 2016-01-26 18:10:04 EST
Description of problem: The openssl.exe included in JBoss EAP Windows natives does not support TLSv1.2. We need to support the latest version of tls protocol. 

Version-Release number of selected component (if applicable): 6.4.0

Additional info:
PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers TLSv1.2
Error in cipher list
2656:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:.\ssl\ssl_ciph.c:836:

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers TLSv1
Comment 1 Robert Bost 2016-01-27 10:45:44 EST
Setting high severity/priority. OpenSSL dropped support for 0.9.8 on Dec 31st, 2015. 

"Support for version 0.9.8 will cease on 2015-12-31. No further releases of 0.9.8 will be made after that date. Security fixes only will be applied to 0.9.8 until then."
Comment 2 Vaclav Tunka 2016-01-28 07:19:15 EST
Moving this Jean-Frederic's way, as SET team does not handle native compoennts.
Comment 19 Michal Karm Babacek 2016-08-08 12:34:51 EDT
OpenSSL 1.0.2h supports TLS 1.2, so this could be probably trivially verified. Leaving it to Martin who executed EAP 6 Ciphers test suite.
Comment 20 Ivo Hradek 2016-08-11 11:30:36 EDT
Verified for TLSv1.2
Comment 21 john archer 2016-08-22 13:49:53 EDT
Would this work for natives on Windows as well then?  When could a customer receive this version that would provide TLS 1.2?
Comment 27 Petr Penicka 2017-01-17 09:48:22 EST
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.

Note You need to log in before you can comment on or make changes to this bug.