1308833 – SSL 3.0 should be disabled by default for Web HTTPS listener

Bug 1308833 - SSL 3.0 should be disabled by default for Web HTTPS listener

Summary: SSL 3.0 should be disabled by default for Web HTTPS listener

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Web
Sub Component:
Version:	6.3.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	jboss-set
QA Contact:	Ondrej Kotek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-16 09:07 UTC by Ondrej Kotek
Modified:	2019-08-19 12:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:49:36 UTC
Type:	Bug

Attachments	(Terms of Use)
OpenSSL test connection log (20.44 KB, text/plain) 2016-02-16 12:00 UTC, Ondrej Kotek	no flags	Details
Scanner test log (1.03 KB, text/plain) 2016-02-16 12:01 UTC, Ondrej Kotek	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Ondrej Kotek 2016-02-16 09:07:34 UTC

Description of problem:
Having added HTTPS connector in Web subsystem with no protocol defined, HTTPS listener enables SSL 3.0 connection. SSL 3.0 is not secure and should be disabled by default (it should be disabled in case it is not set to protocol attribute of HTTPS connector).

How reproducible:
Run server on Java with SSL 3.0 enabled. Add HTTPS connector to Web subsystem with no protocol defined. Try SSL 3.0 handshake.

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true" enabled="true">
        <ssl key-alias="javaserver" password="tomcat" certificate-key-file="/path/to/server-cert-key-rsa.jks" verify-client="false" certificate-file="/path/to/server-cert-key-rsa.jks" ca-certificate-file="/path/to/ca-cert.jks"/>
    </connector>

    openssl s_client -connect localhost:8443 -msg -debug -state -nbio -ssl3

Actual results:
Handshake succeeds.

Expected results:
Handshake fails.

Additional info:
All current java versions are disabling SSL 3.0 by default [1,2], but SSL 3.0 can be enabled due to compatibility reasons. In JBoss EAP 6.4, SSL 3.0 is disabled by default.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c60
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c82

Comment 1 Ondrej Kotek 2016-02-16 12:00:38 UTC

Created attachment 1127570 [details]
OpenSSL test connection log

Comment 2 Ondrej Kotek 2016-02-16 12:01:26 UTC

Created attachment 1127571 [details]
Scanner test log

Note You need to log in before you can comment on or make changes to this bug.