2 Replies Latest reply on May 23, 2011 12:28 PM by rmaucher

    AS7:  Web Subsystem: JSSE/OpenSSL Settings

    anil.saldhana
    anil.saldhana May 23, 2011 12:21 PM

      This thread is to capture the effort to derive a common configuration that can be used for both JSSE and OpenSSL. This is currently evident in the web subsystem  (File: org.jboss.as.web.WebConnectorService)

       

      Background

      JFClere did background work on finding the settings for both jsse and openssl for the web subsystem. But since this is cross-cutting, we need the same for security subsystem also.


      https://github.com/jbossas/jboss-as/blob/master/web/src/main/resources/schema/jboss-web.xsd

       

      sslType covers both JSSE and OpenSSL

       

      Open SSL Settings:

       

      PASSWORD:setSSLPassword

CERTIFICATE_KEY_FILE:setSSLCertificateKeyFile

CIPHER_SUITE:setSSLCipherSuite

PROTOCOL:setSSLProtocol

VERIFY_CLIENT:setSSLVerifyClient

VERIFY_DEPTH:setSSLVerifyDepth

CERTIFICATE_FILE:setSSLCertificateFile

CA_CERTIFICATE_FILE:setSSLCACertificateFile

CA_REVOCATION_URL:setSSLCARevocationFile"

       

      JSSE Settings:

       

       

      KEY_ALIAS:setKeyAlias

PASSWORD:setKeypass

CERTIFICATE_KEY_FILE:setKeystore

CIPHER_SUITE:setCiphers

PROTOCOL:setProtocols

VERIFY_CLIENT:setClientauth

SESSION_CACHE_SIZE:setAttribute

SESSION_TIMEOUT:setAttribute

       

       

      What is common between these two settings?

      • Password
      • Certificate Key File
      • Cipher Suite
      • Protocol
      • Verify Client

       

      Proposal (to be Finalized)

       

      Proposal 1:  The common settings are typed as elements. Rest are placed as properties. 

       

      <ssl binding="jsse">
 <password></password>
 <certKeyFile/>
 <cipherSuite/>
 <protocol/>
 <verifyClient/>
 <property name="x" value="y"/>
 <property name="a" value="b"/>
</ssl>

<ssl binding="openssl">
 <password></password>
 <certKeyFile/>
 <cipherSuite/>
 <protocol/>
 <verifyClient/>
 <property name="x" value="y"/>
 <property name="a" value="b"/>
</ssl>

       

      NOTE:  the binding of jsse will be made the default. So no need to specify it if you are using jsse.

       

       

      Proposal 2:  For the non-common set of elements, we use xsd:choice between jsse and openssl settings which each get a xsd:sequence of elements.

       

      Proposal 3:   Copy the sslType from the web xsd into the security xsd.   Then introduce the concept of reference in sslType to refer to sslType defined in another subsystem (namely security). That way, the subsystem can define the settings inline if it chooses to.

        • 1. AS7:  Web Subsystem: JSSE/OpenSSL Settings
          anil.saldhana
          anil.saldhana May 13, 2011 12:29 PM (in response to anil.saldhana)

          We need some hook in the AS that will take in a bunch of Security Properties (Not JSSE)  and do the following calls (in priv blocks of course):

           

          Security.setProperty(key,value)

            • Actions
          • 2. AS7:  Web Subsystem: JSSE/OpenSSL Settings
            rmaucher
            rmaucher May 23, 2011 12:28 PM (in response to anil.saldhana)

            I have objections to that plan. Usually, SSL configuration for web is more involved, and more security risk prone, which means updates sometimes. This would result in multiple components getting updates.

            Another issue is the incompatibility between the OpenSSL configuration (usable only by the web component for the forseeable future) and the JSSE configuration.

             

             

            So I don't see much sharing. Or to put it another way, there's a lot of sharing possible for everything *but* the web component.

              • Actions