Affects Version/s: None
Environment:OpenJDK7 w JBoss 7.1.1.GA to OpenJDK8 w Wildfly 14.0.1
Issue discovered during:Integration
Sprint:EJBCA Team Bob - 2019 w2
org.ejbca.peerconnector.PeerConnectionsTest fail with Received fatal alert: handshake_failure when TLSv1 is not enabled on the server side.
In the server log we have (running with -Djavax.net.debug=ssl:handshake:
Wildfly 14 was configured to only allow "TLSv1.2" with
As of JDK7 u131 from 2017, TLSv1.2 is available:
- OracleJDK7: https://bugs.openjdk.java.net/browse/JDK-8169773
- OpenJDK7: https://www.oracle.com/technetwork/java/javase/7u131-relnotes-3338543.html
And the list of TLS versions in the SunProvider both list "SSLv3", "TLSv1", "TLSv1.1" and "TLSv1.2":
Since TLSv1.2 has been the recommended version for IETF protocols since 2008, it might be time to at least ensure that the we:
- default to using TLSv1.2 and a suitable cipher suite for AuthenticationKeyBindings → the first in the list is selected and that is currently TLSv1.2;TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- the test uses this new default to detect the next time where the default isn't working → this needs fixing
Could we auto-detect and report accepted TLS versions, accepted ciphers and trusted certs from the EJBCA Admin GUI and report any mismatch to the current config or suggest new settings?