0 Replies Latest reply on Feb 6, 2019 8:19 AM by david.everly

    Support legacy SSLIOP clients that send SSLv2Hello

    david.everly
    david.everly Feb 6, 2019 8:19 AM

      We need to provide only services that require TLSv1.2, and at the same time support clients that send the SSLv2Hello (which as you know is NOT the same as permitting SSLv2).

       

      We have been using the combination of Wildfly/Elytron/OpenSSL so as to provide speedy HTTPS communications:  OpenSSL support with WildFly · WildFly

       

      And I have found that via my HTTPS setup, SSLv2Hello is supported, so I thought I could just use the same setup for SSLIOP.  However, when I try this, my cipher-suite-filter is ignored by the SSLIOP service, even though it is respected under HTTPS.

       

      If I go back to my non-OpenSSL configuration, SSLIOP is refusing SSLv2Hello, but respecting my cipher-suite filter.

       

      Any ideas how to configure standalone-full.xml with Elytron (and possibly OpenSSL) to require TLSv1.2, constrain cipher suite selections to my own list, and support the SSLv2Hello that our legacy clients send?

       

      I'm using:

       

      Wildfly 15.0.1.Final and this Java:

       

      openjdk version "11.0.2" 2019-01-15 LTS

      OpenJDK Runtime Environment Zulu11.29+3-CA (build 11.0.2+7-LTS)

      OpenJDK 64-Bit Server VM Zulu11.29+3-CA (build 11.0.2+7-LTS, mixed mode)

       

      Relevant excerpt of my customized standalone-full.xml:

                      <server-ssl-contexts>  
                    <server-ssl-context name="openssl-serversslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" key-manager="wildfly-keymanager" providers="openssl"/>  
                </server-ssl-contexts>  
                <client-ssl-contexts>  
                    <client-ssl-context name="iiop-clientsslcontext" cipher-suite-filter="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" protocols="TLSv1.2" trust-manager="jvm-trustmanager"/>  
                </client-ssl-contexts>  
            </tls>  
        </subsystem>  
        <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">  
            <orb socket-binding="iiop" ssl-socket-binding="iiop-ssl"/>  
            <initializers security="identity" transactions="spec"/>  
            <security support-ssl="true" server-ssl-context="openssl-serversslcontext" client-ssl-context="iiop-clientsslcontext" server-requires-ssl="true" client-requires-ssl="false"/>  
            <interop iona="true"/>  
        </subsystem>