5 Replies Latest reply on Aug 18, 2017 2:53 PM by gpennino

Wildfly and TLS configuration

gpennino Aug 2, 2017 3:12 PM

I've got a problem with Wildfly 10.1.0 Final when SSL is activated.

I'm getting a SSL error in Chrome and Firefox (IE is working fine). I disabled http2 (as per this topic wildfly 10 does not get along with firefox ) but this does not solve the problem.

The only solution that is working is adding enabled-protocols="TLSV1" in the http-listener configuration for SSL. Using TLSv1,TLSv1.1,TLSV2 doesn't work.

What I'm doing wrong?

1. Re: Wildfly and TLS configuration

mchoma Aug 3, 2017 1:10 AM (in response to gpennino)

It is TLSv1.2 not TLSV2.

Turn on ssl debug logging with -Djavax.net.debug=all on server. Probably browser and server can't negotiate common cipher suite. This can depend on browser version, java version beeing used, private key type you are using (RSA, DSA, ...)
Actions
2. Re: Wildfly and TLS configuration

gpennino Aug 9, 2017 3:17 PM (in response to mchoma)

Yes sorry, I mean TLSv1.2.

I enabled ssl debug, this is a fragment of the log:

2017-08-09 16:06:06,154 INFO [stdout] (default task-15) default task-15, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:06,154 INFO [stdout] (default task-15) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:06,154 INFO [stdout] (default task-15) %% Invalidated: [Session-107, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
2017-08-09 16:06:06,154 INFO [stdout] (default task-15) default task-15, SEND TLSv1.2 ALERT: fatal, description = internal_error
2017-08-09 16:06:06,154 INFO [stdout] (default task-15) Padded plaintext before ENCRYPTION: len = 2
2017-08-09 16:06:06,155 INFO [stdout] (default task-15) 0000: 02 50                                              .P
2017-08-09 16:06:06,155 INFO [stdout] (default task-15) default task-15, WRITE: TLSv1.2 Alert, length = 26
2017-08-09 16:06:06,155 INFO [stdout] (default task-15) default task-15, called closeOutbound()
2017-08-09 16:06:06,155 INFO [stdout] (default task-15) default task-15, closeOutboundInternal()
2017-08-09 16:06:15,451 INFO [stdout] (default I/O-3) default I/O-3, called closeInbound()
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-3) default I/O-3, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-3) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-3) %% Invalidated: [Session-112, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-3) default I/O-3, SEND TLSv1.2 ALERT: fatal, description = internal_error
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION: len = 2
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) 0000: 02 50    default I/O-4, called closeInbound()
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4)             default I/O-4, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) %% Invalidated: [Session-108, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT: fatal, description = internal_error
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) Padded plaintext before ENCRYPTION: len = 2
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) 0000: 02 50                                              .P
2017-08-09 16:06:15,452 INFO [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length = 26
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-4) default I/O-4, called closeOutbound()
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3)                               .P
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Alert, length = 26
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) default I/O-3, called closeOutbound()
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) default I/O-3, closeOutboundInternal()
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) default I/O-3, called closeInbound()
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) default I/O-3, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) %% Invalidated: [Session-111, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) default I/O-3, SEND TLSv1.2 ALERT: fatal, description = internal_error
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) Padded plaintext before ENCRYPTION: len = 2
2017-08-09 16:06:15,453 INFO [stdout] (default I/O-3) 0000: 02 50                                              .P
2017-08-09 16:06:15,454 INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Alert, length = 26
2017-08-09 16:06:15,454 INFO [stdout] (default I/O-3) default I/O-3, called closeOutbound()
2017-08-09 16:06:15,454 INFO [stdout] (default I/O-3) default I/O-3, closeOutboundInternal()
2017-08-09 16:06:55,629 INFO [stdout] (default I/O-1) default I/O-1, called closeInbound()
2017-08-09 16:06:55,629 INFO [stdout] (default I/O-1) default I/O-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:55,629 INFO [stdout] (default I/O-1) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:55,629 INFO [stdout] (default I/O-1) %% Invalidated: [Session-110, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
2017-08-09 16:06:55,629 INFO [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
2017-08-09 16:06:55,629 INFO [stdout] (default I/O-1) Padded plaintext before ENCRYPTION: len = 2
2017-08-09 16:06:55,630 INFO [stdout] (default I/O-1) 0000: 02 50                                              .P
2017-08-09 16:06:55,630 INFO [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 26
2017-08-09 16:06:55,630 INFO [stdout] (default I/O-1) default I/O-1, called closeOutbound()
2017-08-09 16:06:55,630 INFO [stdout] (default I/O-1) default I/O-1, closeOutboundInternal()
2017-08-09 16:06:55,634 INFO [stdout] (default I/O-4) default I/O-4, called closeInbound()
2017-08-09 16:06:55,634 INFO [stdout] (default I/O-4) default I/O-4, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:55,634 INFO [stdout] (default I/O-4) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
2017-08-09 16:06:55,634 INFO [stdout] (default I/O-4) %% Invalidated: [Session-109, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
2017-08-09 16:06:55,634 INFO [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT: fatal, description = internal_error
2017-08-09 16:06:55,634 INFO [stdout] (default I/O-4) Padded plaintext before ENCRYPTION: len = 2
2017-08-09 16:06:55,635 INFO [stdout] (default I/O-4) 0000: 02 50                                              .P
2017-08-09 16:06:55,635 INFO [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length = 26
2017-08-09 16:06:55,635 INFO [stdout] (default I/O-4) default I/O-4, called closeOutbound()
2017-08-09 16:06:55,635 INFO [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()
2017-08-09 16:07:49,981 INFO [stdout] (Finalizer) Finalizer, called close()
2017-08-09 16:07:49,984 INFO [stdout] (Finalizer) Finalizer, called closeInternal(true)

Using Wildfly 10.1.0 Final
Ubuntu 14.04 LTS
Oracle JDK 1.8.0_111

Thanks.
Actions
3. Re: Wildfly and TLS configuration

mchoma Aug 10, 2017 1:14 AM (in response to gpennino)

And which cipher suite IE negotiate? Seems there is a problem with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It can be something with certificate. E.g. self signed certificate does not work with ECDH [JBEAP-2070] Unable to create HTTPS connection using *ECDH_RSA* cipher suites / kECDHr cipher string - JBoss Issue Track… .
Actions
4. Re: Wildfly and TLS configuration

gpennino Aug 10, 2017 12:50 PM (in response to mchoma)

According to IE, it negotiates "TLS 1.2, AES with 256 bit encryption (high); ECDH_P256 with 256 bit exchange". While using IE, there is no SSL Exception in the log file!

In Chrome, the first time the page is loaded it shows: The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM). but then after logining in in the application the error occurs. I can't think of this being application related as it was working fine with Jboss 7.1.1 and Oracle JDK 1.7.

Thanks!
Actions
5. Re: Wildfly and TLS configuration

gpennino Aug 18, 2017 2:53 PM (in response to gpennino)

Do you have any other suggestion or where to look at?

Thanks!
Actions

Go to original post