1302151 – [GSS](6.4.z) Windows natives openssl needs to support TLSv1.2

Bug 1302151 - [GSS](6.4.z) Windows natives openssl needs to support TLSv1.2

Summary: [GSS](6.4.z) Windows natives openssl needs to support TLSv1.2

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web, Apache Server (httpd) and Connectors, Security, openssl
Sub Component:
Version:	6.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	DR1
Target Release:	EAP 6.4.9
Assignee:	Jean-frederic Clere
QA Contact:	Ivo Hradek
Docs Contact:
URL:
Whiteboard:
Depends On:	1340911
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-26 23:10 UTC by Robert Bost
Modified:	2019-12-16 05:19 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-01-17 14:48:22 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Robert Bost 2016-01-26 23:10:04 UTC

Description of problem: The openssl.exe included in JBoss EAP Windows natives does not support TLSv1.2. We need to support the latest version of tls protocol. 


Version-Release number of selected component (if applicable): 6.4.0


Additional info:
PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers TLSv1.2
Error in cipher list
2656:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:.\ssl\ssl_ciph.c:836:

PS C:\Users\test\Desktop\jboss-eap-native-utils-6.4.0-win6.x86_64\jboss-eap-6.4\modules\system\layers\base\native\bin> .\openssl.exe ciphers TLSv1
ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES
128-SHA:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DE
S-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:DES-CBC3-SHA:DES-CBC-
SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:RC4-SHA:RC4-MD5:EXP-RC4-MD5:NULL-SHA:NULL-MD5

Comment 1 Robert Bost 2016-01-27 15:45:44 UTC

Setting high severity/priority. OpenSSL dropped support for 0.9.8 on Dec 31st, 2015. 

https://www.openssl.org/policies/releasestrat.html:
"Support for version 0.9.8 will cease on 2015-12-31. No further releases of 0.9.8 will be made after that date. Security fixes only will be applied to 0.9.8 until then."

Comment 2 Vaclav Tunka 2016-01-28 12:19:15 UTC

Moving this Jean-Frederic's way, as SET team does not handle native compoennts.

Comment 19 Michal Karm Babacek 2016-08-08 16:34:51 UTC

OpenSSL 1.0.2h supports TLS 1.2, so this could be probably trivially verified. Leaving it to Martin who executed EAP 6 Ciphers test suite.

Comment 20 Ivo Hradek 2016-08-11 15:30:36 UTC

Verified for TLSv1.2

Comment 21 john archer 2016-08-22 17:49:53 UTC

Would this work for natives on Windows as well then?  When could a customer receive this version that would provide TLS 1.2?

Comment 27 Petr Penicka 2017-01-17 14:48:22 UTC

Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.

Note You need to log in before you can comment on or make changes to this bug.