3 Replies Latest reply on Nov 13, 2017 12:37 PM by longshot

    FIPS compliant SSL w/ BC-FIPS and Linux

    longshot
    longshot Nov 10, 2017 10:35 AM

      The task that will not end.

      I have configured our application to use BC-FIPS provider.  I have managed to configure and run the application on a windows environment.

      I've gone through the same configuration and setup on a linux environment and I'm having issues.

      When I start the server, wildfly doesn't start.  I'm not getting any errors, it just appears to hang.  I need some suggestions on what to do the debug this, find out where its hanging.

       

       

      The following are the instructions I created to configure wildfly using the CLI (in case there is something wrong that just still works with windows):

       

      /core-service=management/security-realm=https:add()

      /core-service=management/security-realm=https/authentication=truststore:add(keystore-path=<path>.truststore, keystore-provider=BCFKS, keystore-password=${env.KEYSTORE_PASSWORD}, keystore-relative-to=jboss.server.config.dir)

      /core-service=management/security-realm=https/server-identity=ssl:add(keystore-path=<path.ext>, keystore-provider=BCFKS, keystore-password=${env.KEYSTORE_PASSWORD}, keystore-relative-to=jboss.server.config.dir, enabled-protocols=["TLSv1.2"])

      /core-service=management/security-realm=HTTPSRealm/server-identity=ssl:write-attribute(name=enabled-cipher-suites, value=[SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA])

      /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=https, enable-http2=true, max-post-size=10737418240, enabled-protocols="TLSv1.2")

      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enabled-cipher-suites,value="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA")

        • 1. Re: FIPS compliant SSL w/ BC-FIPS and Linux
          mchoma
          mchoma Nov 10, 2017 3:19 PM (in response to longshot)

          Try to set detailed server logging .

           

          For example for logging security configure

          /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)

          /subsystem=logging/logger=org.jboss.security:add(level=ALL)

          /subsystem=logging/logger=org.jboss.as.security:add(level=ALL)

          /subsystem=logging/logger=org.picketbox:add(level=ALL)

          /subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)

          /subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)

          /subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)

          /subsystem=logging/logger=org.wildfly.security:add(level=ALL)

          /subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)

           

           

            • Actions
          • 2. Re: FIPS compliant SSL w/ BC-FIPS and Linux
            mchoma
            mchoma Nov 13, 2017 12:09 PM (in response to mchoma)

            Also when it really hangs, take threaddump to see where is it stucked.

             

            Once I saw security code was stucked on reading from random device. Does  cat /dev/random hangs on your system?

              • Actions
            • 3. Re: FIPS compliant SSL w/ BC-FIPS and Linux
              longshot
              longshot Nov 13, 2017 12:37 PM (in response to mchoma)

              cat /dev/random seems to hang.

              I typed cat /dev/random and is seems to spew garbage characters to screen.  I left it for a couple minutes.  It never goes back to cursor.  It seems like its looking for input, but typing doesn't get it to terminate or generate anything more.  I've done ctrl -C to get the cursor back 

              Also, I'm using bitvise xterm to connect.   If you wait after you enter the command, it seems to keep generating characters, when it does, the xterm prints at the top Decoder: invalid UTF-8 lead byte. 

                • Actions