2 Replies Latest reply on Dec 5, 2014 6:34 AM by talim

wildfly 8.1 TLS with BC provider - not working

talim Dec 3, 2014 10:28 AM

Hi,

I wanne use Bouncycastle provider instead of sun. I use java8u25 (oracle) at the moment, wildfly8.1 - operation system is ubunutu.

I do this because I has to use Brainpool curves, which are not supportet in sunce. (ALL this i discribe below works already with NIST-Curves and sun-Provider !)

I configured a new security-realm as follows:

<security-realm name="InternetAccessRealm">

<server-identities>

<ssl>

</ssl>

</server-identities>

</authentication>

</security-realm>

i add a interface and a connector - all works fine.

Now lets try with BouncyCastle Provider.

BC (1.50on) comes with wildfy8.1, i updated this to BC 1.51on Version.

also i add BC provider to JRE, by updating java.security:

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.3=sun.security.rsa.SunRsaSign

security.provider.4=sun.security.ec.SunEC

security.provider.5=com.sun.net.ssl.internal.ssl.Provider BC

security.provider.6=com.sun.crypto.provider.SunJCE

security.provider.7=sun.security.jgss.SunProvider

security.provider.8=com.sun.security.sasl.Provider

security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.10=sun.security.smartcardio.SunPCSC

also you can see, I added BC to security.provider.5: to security.provider.5=com.sun.net.ssl.internal.ssl.Provider BC

1) Now first start of wildfly and an error occured:

15:17:48,456 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017531: Host default-host starting

15:17:48,466 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) JBAS017519: Undertow HTTP listener default listening on /127.0.0.1:28080

15:17:49,145 INFO [stdout] (MSC service thread 1-2) adding as trusted cert:

15:17:49,150 INFO [stdout] (MSC service thread 1-2) Subject: CN=SEN Test RootCA, O=SM-PKI, C=DE, SERIALNUMBER=0

15:17:49,153 INFO [stdout] (MSC service thread 1-2) Issuer: CN=SEN Test RootCA, O=SM-PKI, C=DE, SERIALNUMBER=0

15:17:49,154 INFO [stdout] (MSC service thread 1-2) Algorithm: EC; Serial number: 0x21286a2f3e8c6745

15:17:49,166 INFO [stdout] (MSC service thread 1-2) Valid from Tue Sep 09 11:22:09 CEST 2014 until Fri Sep 09 11:22:09 CEST 2022

15:17:49,172 INFO [stdout] (MSC service thread 1-2)

15:17:49,241 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-2) JBAS015012: Started FileSystemDeploymentService for directory /home/ejbca/wildfly/standalone/deployments

15:17:49,246 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: JBAS015229: Unable to start service

at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:90)

at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:121)

at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

Caused by: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BC

at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:67) [jsse.jar:1.8.0_25]

at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) [rt.jar:1.8.0_25]

at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:122)

at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:84)

... 6 more

15:17:49,435 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]

-> let say not Problem, i changed jks-Keystores to bks keystore (native BC keystore format)

2) secound start:

15:29:40,961 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) JBAS017519: Undertow HTTP listener default listening on /127.0.0.1:28080

15:29:41,214 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.key-manager: JBAS015229: Unable to start service

at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)

at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)

at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

Caused by: java.io.IOException: Invalid keystore format

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) [rt.jar:1.8.0_25]

at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.8.0_25]

at java.security.KeyStore.load(KeyStore.java:1433) [rt.jar:1.8.0_25]

at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)

... 6 more

15:29:41,299 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015876: Starting deployment of "CertManagementService.war" (runtime-name: "CertManagementService.war")

15:29:41,324 INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-1) JBAS015012: Started FileSystemDeploymentService for directory /home/ejbca/wildfly/standalone/deployments

15:29:41,658 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.server.controller.management.security_realm.InternetAccessRealm.trust-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.InternetAccessRealm.trust-manager: JBAS015229: Unable to start service

at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)

at org.jboss.as.domain.management.security.FileTrustManagerService.start(FileTrustManagerService.java:107)

at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]

at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

Caused by: java.io.IOException: Invalid keystore format

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650) [rt.jar:1.8.0_25]

at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) [rt.jar:1.8.0_25]

at java.security.KeyStore.load(KeyStore.java:1433) [rt.jar:1.8.0_25]

at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)

... 6 more

15:29:42,081 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]

it seems to be the undertow HTTP listener is not aware of changing Provider to BC - because now he gets trouble with bks-Stores.

-->

after changing 5. to security.provider.5=com.sun.net.ssl.internal.ssl.Provider

so that no BC provider is used. i got expected problem while establish TLS - connection:

16:03:47,877 INFO [stdout] (default I/O-1) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

16:03:47,882 INFO [stdout] (default I/O-1) Compression Methods: { 0 }

16:03:47,884 INFO [stdout] (default I/O-1) default I/O-1, fatal error: 80: problem unwrapping net record

16:03:47,885 INFO [stdout] (default I/O-1) java.lang.RuntimeException: java.security.NoSuchAlgorithmException: EC AlgorithmParameters not available

16:03:47,885 INFO [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT: fatal, description = internal_error

16:03:47,886 INFO [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 2

16:03:47,887 INFO [stdout] (default I/O-1) [Raw write]: length = 7

16:03:47,888 INFO [stdout] (default I/O-1) 0000: 15 03 03 00 02 02 50 ......P

16:03:47,889 INFO [stdout] (default I/O-1) default I/O-1, called closeOutbound()

I also tried to start patching sun provider to let him know BC-Curve parameter and so on, but at the moment it think it cant be that problem to use BC provider.

Some ideas? - perhaps i started wrong way?

Sascha

1. Re: wildfly 8.1 TLS with BC provider - not working

ctomc Dec 4, 2014 8:48 AM (in response to talim)

Hi,

this is a tricky problem. In 8.1 we deliberately added code to re-order providers to make sure BC is after sun's one.
As there ware lots of problems with BC provider in certain scenarios which resulted in 1minute+ on initial SSL handshake.
see [WFLY-3331] Https: ArrayIndexOutOfBoundsException when rendering a resulting JSF page - JBoss Issue Tracker

and corresponding "workaround" WFLY-3331 Move BC provider after jdk's provided JCE provider. by ctomc · Pull Request #6252 · wildfly/wildfly · GitHub

One solution would be to remove webservices subsystem that is one to blame for this.
But that would only work if you don't use webservices in your application.

Other option would be to downgrade to 8.0, but i would not recommend that given how many bugs was fixed in later releases.
Best option could be to manually build 8.x(it is currently at 8.2.0.Final tag) branch with workaround for BC removed.

in future releases we will remove this workaround as proper fix was done in cxf to not globally install BC.
1 of 1 people found this helpful
Actions
2. Re: wildfly 8.1 TLS with BC provider - not working

talim Dec 5, 2014 6:34 AM (in response to ctomc)

Is it possible to determinate a keystore and truststore type. I read specification but cannot find. It would be possible then to use pkcs12 keystores, which can be read from BC and sun provider?
Actions

Go to original post