Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WFCORE-5145] Add a proposal about adding support for the SSLv2Hello protocol #338

Merged
merged 1 commit into from Jun 17, 2021

Conversation

@SoniaZaldana
Copy link
Contributor

@SoniaZaldana SoniaZaldana commented Oct 1, 2020

Elytron currently supports 6 SSL/TLS protocols. Namely, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, and
TLSv1.3. However, older JDK versions use ``SSLv2Hello`` during the initial
SSL handshake message where the SSL version that will be used for the rest of the handshake is negotiated.
This task is to ensure Elytron can make use of the ``SSLv2Hello`` protocol to ensure feature parity with legacy security.

This comment has been minimized.

@fjuma

fjuma Oct 1, 2020
Contributor

Would be good to mention here that newer JDK versions disable this protocol by default but do provide the ability to re-enable it if needed.

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 2, 2020
Author Contributor

Added


* WildFly Elytron Test Suite: one-way and two-way SSL tests will be added that make use of the ``SSLv2Hello`` protocol.
* WildFly Core Test Suite: one-way and two-way SSL tests with the ``SSLv2Hello`` protocol when it is
configured in the Elytron subsystem and transformer tests.

This comment has been minimized.

@fjuma

fjuma Oct 1, 2020
Contributor

Would be good to mention subsystem parsing tests as well.

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 2, 2020
Author Contributor

Added

* WildFly Core Test Suite: one-way and two-way SSL tests with the ``SSLv2Hello`` protocol when it is
configured in the Elytron subsystem and transformer tests.
* WildFly Test Suite: one-way and two-way SSL tests, along with a test added to the wildfly-openssl test suite
to check usage of ``SSLv2Hello`` provided by OpenSSL provider.

This comment has been minimized.

@fjuma

fjuma Oct 1, 2020
Contributor

The test that makes use of the OpenSSL provider should be added to the WildFly Core test suite (as opposed to the wildfly-openssl testsuite).

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 2, 2020
Author Contributor

Fixed


* Documentation will be added in the "Using the Elytron Subsystem" section in the WildFly documentation,
specifically in under https://docs.wildfly.org/13/WildFly_Elytron_Security.html#configure-ssltls[4.3 Configure SSL/TLS]
to specify that ``SSLv2Hello`` is supported.

This comment has been minimized.

@fjuma

fjuma Oct 1, 2020
Contributor

It would probably be good to also add a warning that indicates that the use of this protocol is discouraged.

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 2, 2020
Author Contributor

Added

** ``server-ssl-context``:
[source]
----
/subsystem=elytron/server-ssl-context=mySslContext:add(key-manager=myKeyManager,protocols=[SSLv2Hello])

This comment has been minimized.

@fjuma

fjuma Oct 23, 2020
Contributor

Since the configuration would require additional protocol(s) to be used with SSLv2Hello, the example value for protocols should be updated to reflect that.

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 23, 2020
Author Contributor

Fixed

** ``client-ssl-context``:
[source]
----
/subsystem=elytron/client-ssl-context=myClientSslContext:add(key-manager=myClientKeyManager,protocols=[SSLv2Hello])

This comment has been minimized.

@fjuma

fjuma Oct 23, 2020
Contributor

Same here.

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 23, 2020
Author Contributor

Fixed

* WildFly Elytron Test Suite: one-way and two-way SSL tests will be added that make use of the ``SSLv2Hello`` protocol.
* WildFly Core Test Suite: one-way and two-way SSL tests with the ``SSLv2Hello`` protocol when it is
configured in the Elytron subsystem, subsystem parsing tests, transformer tests and
a test added to the wildfly-openssl test suite to check usage of ``SSLv2Hello`` provided by OpenSSL provider.

This comment has been minimized.

@fjuma

fjuma Oct 23, 2020
Contributor

s/wildfly-openssl test suite/WildFly Core testsuite

This comment has been minimized.

@SoniaZaldana

SoniaZaldana Oct 23, 2020
Author Contributor

Fixed

Newer JDK versions disable this protocol by default, but do provide the ability to
re-enable it if needed. This task is to ensure Elytron can make use of the ``SSLv2Hello`` protocol to ensure feature parity with legacy security.

This RFE assumes that the SSLv2Hello protocol is provided by the JSSE provider.

This comment has been minimized.

@fjuma

fjuma Oct 23, 2020
Contributor

I think this line can be removed.

@SoniaZaldana SoniaZaldana force-pushed the SoniaZaldana:WFCORE-5145 branch from fcdf7e6 to 1f3822b Oct 23, 2020
@fjuma
fjuma approved these changes Oct 30, 2020
=== Testing By
// Put an x in the relevant field to indicate if testing will be done by Engineering or QE.
// Discuss with QE during the Kickoff state to decide this
* [ ] Engineering

This comment has been minimized.

@fjuma

fjuma May 27, 2021
Contributor

@SoniaZaldana Since this was tested by Engineering, this section can now be updated. Thanks.

@SoniaZaldana SoniaZaldana force-pushed the SoniaZaldana:WFCORE-5145 branch from 1f3822b to a206e13 May 27, 2021
@bstansberry bstansberry merged commit 1e9393c into wildfly:main Jun 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants