5 Replies Latest reply on Aug 18, 2017 2:53 PM by Gonzalo Pennino

    Wildfly and TLS configuration

    Gonzalo Pennino Newbie

      I've got a problem with Wildfly 10.1.0 Final when SSL is activated.

       

      I'm getting a SSL error in Chrome and Firefox (IE is working fine). I disabled http2 (as per this topic wildfly 10 does not get along with firefox ) but this does not solve the problem.

       

      The only solution that is working is adding enabled-protocols="TLSV1" in the http-listener configuration for SSL. Using TLSv1,TLSv1.1,TLSV2  doesn't work.

       

      What I'm doing wrong?

        • 1. Re: Wildfly and TLS configuration
          Martin Choma Expert

          It is TLSv1.2 not TLSV2.

           

          Turn on ssl debug logging with -Djavax.net.debug=all on server. Probably browser and server can't negotiate common cipher suite. This can depend on browser version, java version beeing used, private key type you are using (RSA, DSA, ...)

          • 2. Re: Wildfly and TLS configuration
            Gonzalo Pennino Newbie

            Yes sorry, I mean TLSv1.2.

             

            I enabled ssl debug, this is a fragment of the log:

             

            2017-08-09 16:06:06,154 INFO  [stdout] (default task-15) default task-15, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:06,154 INFO  [stdout] (default task-15) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:06,154 INFO  [stdout] (default task-15) %% Invalidated:  [Session-107, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

            2017-08-09 16:06:06,154 INFO  [stdout] (default task-15) default task-15, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            2017-08-09 16:06:06,154 INFO  [stdout] (default task-15) Padded plaintext before ENCRYPTION:  len = 2

            2017-08-09 16:06:06,155 INFO  [stdout] (default task-15) 0000: 02 50                                              .P

            2017-08-09 16:06:06,155 INFO  [stdout] (default task-15) default task-15, WRITE: TLSv1.2 Alert, length = 26

            2017-08-09 16:06:06,155 INFO  [stdout] (default task-15) default task-15, called closeOutbound()

            2017-08-09 16:06:06,155 INFO  [stdout] (default task-15) default task-15, closeOutboundInternal()

            2017-08-09 16:06:15,451 INFO  [stdout] (default I/O-3) default I/O-3, called closeInbound()

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-3) default I/O-3, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-3) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-3) %% Invalidated:  [Session-112, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-3) default I/O-3, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-3) Padded plaintext before ENCRYPTION:  len = 2

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) 0000: 02 50    default I/O-4, called closeInbound()

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4)             default I/O-4, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) %% Invalidated:  [Session-108, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) Padded plaintext before ENCRYPTION:  len = 2

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) 0000: 02 50                                              .P

            2017-08-09 16:06:15,452 INFO  [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length = 26

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-4) default I/O-4, called closeOutbound()

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3)                               .P

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Alert, length = 26

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) default I/O-3, called closeOutbound()

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) default I/O-3, closeOutboundInternal()

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) default I/O-3, called closeInbound()

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) default I/O-3, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) %% Invalidated:  [Session-111, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) default I/O-3, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) Padded plaintext before ENCRYPTION:  len = 2

            2017-08-09 16:06:15,453 INFO  [stdout] (default I/O-3) 0000: 02 50                                              .P

            2017-08-09 16:06:15,454 INFO  [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Alert, length = 26

            2017-08-09 16:06:15,454 INFO  [stdout] (default I/O-3) default I/O-3, called closeOutbound()

            2017-08-09 16:06:15,454 INFO  [stdout] (default I/O-3) default I/O-3, closeOutboundInternal()

            2017-08-09 16:06:55,629 INFO  [stdout] (default I/O-1) default I/O-1, called closeInbound()

            2017-08-09 16:06:55,629 INFO  [stdout] (default I/O-1) default I/O-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:55,629 INFO  [stdout] (default I/O-1) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:55,629 INFO  [stdout] (default I/O-1) %% Invalidated:  [Session-110, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

            2017-08-09 16:06:55,629 INFO  [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            2017-08-09 16:06:55,629 INFO  [stdout] (default I/O-1) Padded plaintext before ENCRYPTION:  len = 2

            2017-08-09 16:06:55,630 INFO  [stdout] (default I/O-1) 0000: 02 50                                              .P

            2017-08-09 16:06:55,630 INFO  [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 26

            2017-08-09 16:06:55,630 INFO  [stdout] (default I/O-1) default I/O-1, called closeOutbound()

            2017-08-09 16:06:55,630 INFO  [stdout] (default I/O-1) default I/O-1, closeOutboundInternal()

            2017-08-09 16:06:55,634 INFO  [stdout] (default I/O-4) default I/O-4, called closeInbound()

            2017-08-09 16:06:55,634 INFO  [stdout] (default I/O-4) default I/O-4, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:55,634 INFO  [stdout] (default I/O-4) javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

            2017-08-09 16:06:55,634 INFO  [stdout] (default I/O-4) %% Invalidated:  [Session-109, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]

            2017-08-09 16:06:55,634 INFO  [stdout] (default I/O-4) default I/O-4, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            2017-08-09 16:06:55,634 INFO  [stdout] (default I/O-4) Padded plaintext before ENCRYPTION:  len = 2

            2017-08-09 16:06:55,635 INFO  [stdout] (default I/O-4) 0000: 02 50                                              .P

            2017-08-09 16:06:55,635 INFO  [stdout] (default I/O-4) default I/O-4, WRITE: TLSv1.2 Alert, length = 26

            2017-08-09 16:06:55,635 INFO  [stdout] (default I/O-4) default I/O-4, called closeOutbound()

            2017-08-09 16:06:55,635 INFO  [stdout] (default I/O-4) default I/O-4, closeOutboundInternal()

            2017-08-09 16:07:49,981 INFO  [stdout] (Finalizer) Finalizer, called close()

            2017-08-09 16:07:49,984 INFO  [stdout] (Finalizer) Finalizer, called closeInternal(true)

             

            Using Wildfly 10.1.0 Final

            Ubuntu 14.04 LTS

            Oracle JDK 1.8.0_111

             

             

            Thanks.

            • 3. Re: Wildfly and TLS configuration
              Martin Choma Expert

              And which cipher suite IE negotiate? Seems there is a problem with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. It can be something with certificate. E.g. self signed certificate does not work with ECDH [JBEAP-2070] Unable to create HTTPS connection using *ECDH_RSA* cipher suites / kECDHr cipher string - JBoss Issue Track…  .

              • 4. Re: Wildfly and TLS configuration
                Gonzalo Pennino Newbie

                According to IE, it negotiates "TLS 1.2, AES with 256 bit encryption (high); ECDH_P256 with 256 bit exchange". While using IE, there is no SSL Exception in the log file!

                 

                In Chrome, the first time the page is loaded it shows: The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM). but then after logining in in the application the error occurs. I can't think of this being application related as it was working fine with Jboss 7.1.1 and Oracle JDK 1.7.

                 

                Thanks!

                • 5. Re: Wildfly and TLS configuration
                  Gonzalo Pennino Newbie

                  Do you have any other suggestion or where to look at?

                   

                  Thanks!