Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FISH-5987 Remove TLS 1.0,1.1 SSL2 and SSL3 #5666

Merged
merged 7 commits into from
Apr 21, 2022
Merged

FISH-5987 Remove TLS 1.0,1.1 SSL2 and SSL3 #5666

merged 7 commits into from
Apr 21, 2022

Conversation

kalinchan
Copy link
Member

@kalinchan kalinchan commented Mar 21, 2022
edited
Loading

Description

Since TLS 1.0 and 1.1 are disabled on JDK 11, this has been removed

Important Info

Blockers

N/A

Testing

New tests

N/A

Testing Performed

Built Payara and checked if options for tls 1.0 and 1.1 were there and executed set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls-enabled=[true/false]

Testing Environment

ubuntu 20.04 maven 3.6.3 openjdk 11.0.11 2021-04-20 LTS

Documentation

Here

Notes for Reviewers

@kalinchan kalinchan changed the title FISH-5987 Remove TLS 1.0 and 1.1 FISH-5987 Remove TLS 1.0,1.1 SSL2 and SSL3 Mar 23, 2022
Pandrex247
Pandrex247 requested changes Mar 28, 2022
View reviewed changes
Copy link
Member

@Pandrex247 Pandrex247 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You've broken the SSL config page:
Configs > server-config > ORB > IIOP Listeners > SSL > SSL
Disable TLS 1.2, enable TLS 1.3, click save - error.

...rver/orb/orb-iiop/src/main/java/org/glassfish/enterprise/iiop/impl/IIOPSSLSocketFactory.java Outdated

String protocol;
if (tlsEnabled13) {
protocol = TLS13;
} else if (tlsEnabled12) {
} else {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this should default to 1.3, 1.2, or throw an error?
Need to debug with a reproducer to understand this and why it would originally default to SSL even though that wasn't an option.

@kalinchan
Copy link
Member Author

kalinchan commented Mar 30, 2022
edited
Loading

Removal of the SSL3 Ciphers caused the SSL config page to break, therefore I left this in

Pandrex247
Pandrex247 requested changes Mar 30, 2022
View reviewed changes
Copy link
Member

@Pandrex247 Pandrex247 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Numerous methods and references to SSL2 and SSL3 missed in AppClientSSL, config/SSL, ServerTags, CreateSSL, CipherInfo, SSLClientConfigurator, SSLParams, SSLConfigurator, dom/Ssl, and SecureAdminCommand

....security/src/main/java/com/sun/enterprise/security/appclient/AppClientSecurityInfoImpl.java Outdated Show resolved Hide resolved
Pandrex247
Pandrex247 requested changes Apr 1, 2022
View reviewed changes
Copy link
Member

@Pandrex247 Pandrex247 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still missed references in help text e.g. --securityenabled help text in create-http-listener
SSLv2 and SSLv3 still available as enums in SslType

@kalinchan kalinchan merged commit bd1d890 into payara:Payara6 Apr 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pandrex247 Pandrex247 Pandrex247 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kalinchan @Pandrex247