-
1. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
ctomc Dec 12, 2016 5:57 AM (in response to lhuay)And what is that error?
-
2. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
lhuay Dec 12, 2016 9:11 PM (in response to ctomc)2016-12-09 14:32:10,873 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service jboss.undertow.listener.https: org.jboss.msc.service.StartException in service jboss.undertow.listener.https: Failed to start service
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: ELY05017: Token "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" not allowed at offset 34 of mechanism selection string "TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"
at org.wildfly.security.ssl.CipherSuiteSelector.fromString(CipherSuiteSelector.java:399)
at org.wildfly.extension.undertow.HttpsListenerService.startListening(HttpsListenerService.java:125)
at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:138)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
... 3 more
This error is in wildfly 10. It's no error in wildfly 8, but no effect,it can't disable RENEGOTIATION.
-
3. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
ctomc Dec 13, 2016 5:41 AM (in response to lhuay)JDK 8 changed how TLS renegotiation configuration is set.
Or better said it is by default disabled.
for more info see:
Why you probably don't see this error in WildFly 8 or AS7 is because you used JDK6 or 7 to run them.
-
4. Re: Wildfly can't support the parameter(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)?
mchoma Dec 20, 2016 4:17 AM (in response to lhuay)As I am reading RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension , TLS_EMPTY_RENEGOTIATION_INFO_SCSV is used by client to signal support of secure renegotiation (not disabling renegotiation).
"ELY05017: Token "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" not allowed" mean elytron cipher suite selection (which is present already in wildfly 10.1) does not support such cipher suite, but it is probably OK, as I think you don't need to set that on server side.
As Tomaz referenced JSSE Reference Guide - if your client and server are updated to use rfc 5746 to disable insecure renegotiation make sure system properties sun.security.ssl.allowUnsafeRenegotiation and sun.security.ssl.allowLegacyHelloMessages are set to false (what I believe is default setting) to ensure Strict mode is turn on. In strict mode insecure renegotiation is disabled.