4 Replies Latest reply on Dec 20, 2016 4:17 AM by mchoma

    Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?

    lhuay

      In my web application, I use TLS_EMPTY_RENEGOTIATION_INFO_SCSV to disable RENEGOTIATION(rfc 5746) in JBoss as 7. But in wildfly, it cause the error, How can I do?

       

      Thank you!

       

      yy

        • 1. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
          ctomc

          And what is that error?

          • 2. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
            lhuay

            2016-12-09 14:32:10,873 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service

            at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)

            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

            at java.lang.Thread.run(Thread.java:745)

            Caused by: java.lang.IllegalArgumentException: ELY05017: Token "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" not allowed at offset 34 of mechanism selection string "TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"

            at org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)

            at org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)

            at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)

            at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)

            at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)

            ... 3 more

             

            This error is in wildfly 10. It's no error in wildfly 8, but no effect,it can't disable RENEGOTIATION.

            • 3. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
              ctomc

              JDK 8 changed how TLS renegotiation configuration is set.

              Or better said it is by default disabled.

              for more info see:

              http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#tlsRenegotiation

               

              Why you probably don't see this error in WildFly 8 or AS7 is because you used JDK6 or 7 to run them.

              • 4. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
                mchoma

                As I am reading RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension , TLS_EMPTY_RENEGOTIATION_INFO_SCSV is used by client to signal support of secure renegotiation (not disabling renegotiation).

                 

                "ELY05017: Token "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" not allowed" mean elytron cipher suite selection (which is present already in wildfly 10.1) does not support such cipher suite, but it is probably OK, as I think you don't need to set that on server side.

                 

                As Tomaz referenced JSSE Reference Guide - if your client and server are updated to use rfc 5746 to disable insecure renegotiation make sure system properties sun.security.ssl.allowUnsafeRenegotiation and sun.security.ssl.allowLegacyHelloMessages are set to false (what I believe is default setting) to ensure Strict mode is turn on. In strict mode insecure renegotiation is disabled.