Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7679

PeerConnectionsTest uses TLSv1, but should use TLSv1.2

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.0.0, EJBCA 6.15.2
    • Component/s: None
    • Labels:
      None
    • Environment:
      OpenJDK7 w JBoss 7.1.1.GA to OpenJDK8 w Wildfly 14.0.1

      Description

      org.ejbca.peerconnector.PeerConnectionsTest fail with Received fatal alert: handshake_failure when TLSv1 is not enabled on the server side.

      Background

      In the server log we have (running with -Djavax.net.debug=ssl:handshake:

      ... INFO  [stdout] (default task-52) *** ClientHello, TLSv1
      ... INFO  [stdout] (default task-52) RandomCookie:  GMT: ... bytes = { 119, ... }
      ... INFO  [stdout] (default task-52) Session ID:  {}
      ... INFO  [stdout] (default task-52) Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA]
      ... INFO  [stdout] (default task-52) Compression Methods:  { 0 }
      ... INFO  [stdout] (default task-52) Extension extended_master_secret
      ... INFO  [stdout] (default task-52) Extension renegotiation_info, renegotiated_connection: <empty>
      ... INFO  [stdout] (default task-52) ***
      ... INFO  [stdout] (default task-52) default task-52, fatal error: 40: Client requested protocol TLSv1 not enabled or not supported
      ... INFO  [stdout] (default task-52) javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
      ... INFO  [stdout] (default task-52) default task-52, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
      ... INFO  [stdout] (default task-52) default task-52, WRITE: TLSv1.2 Alert, length = 2
      ... INFO  [stdout] (default I/O-12) default I/O-12, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
      ... INFO  [stdout] (default I/O-12) default I/O-12, called closeInbound()
      ... INFO  [stdout] (default task-53) default task-53, READ: TLSv1.2 Alert, length = 2
      ... INFO  [stdout] (default I/O-12) default I/O-12, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
      ... INFO  [stdout] (default I/O-12) default task-53default I/O-12, called closeOutbound()
      ... INFO  [stdout] (default I/O-12) , RECV TLSv1.2 ALERT:  default I/O-12, closeOutboundInternal()
      ... INFO  [stdout] (default task-53) fatal, handshake_failure
      ... INFO  [stdout] (default task-53) default task-53, called closeSocket()
      ... INFO  [stdout] (default task-53) default task-53, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
      ... ERROR [org.ejbca.peerconnector.client.PeerConnectorPool] (default task-53) Failed connection to https://f87688985f9c:8443/ejbca/peer/v1: Received fatal alert: handshake_failure
      

      Wildfly 14 was configured to only allow "TLSv1.2" with

      JAVA_OPTS="$JAVA_OPTS_WILDFLYCLI" /opt/wildfly/bin/jboss-cli.sh --connect "
      /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text="${keyStorePassword}"},type=JKS),
      /subsystem=elytron/key-store=httpsTS:add(path=truststore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text="${trustStorePassword}"},type=JKS),
      /subsystem=elytron/key-manager=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text="${keyStorePassword}"}),
      /subsystem=elytron/trust-manager=httpsTM:add(key-store=httpsTS),
      /subsystem=elytron/server-ssl-context=httpsSSC:add(key-manager=httpsKM,protocols=["TLSv1.2"],trust-manager=httpsTM,need-client-auth=false,authentication-optional=true,want-client-auth=true),
      /socket-binding-group=standard-sockets/socket-binding=https:add(interface=public,port=8443),
      /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https,allow-encoded-slash=true,enable-http2=true,ssl-context=httpsSSC)
      " | grep -v "success" | log "WARN"
      

      As of JDK7 u131 from 2017, TLSv1.2 is available:

      And the list of TLS versions in the SunProvider both list "SSLv3", "TLSv1", "TLSv1.1" and "TLSv1.2":

      Ticket scope

      Since TLSv1.2 has been the recommended version for IETF protocols since 2008, it might be time to at least ensure that the we:

      • default to using TLSv1.2 and a suitable cipher suite for AuthenticationKeyBindings → the first in the list is selected and that is currently TLSv1.2;TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
      • the test uses this new default to detect the next time where the default isn't working → this needs fixing

      Potential nice-to-have followup ticket

      Could we auto-detect and report accepted TLS versions, accepted ciphers and trusted certs from the EJBCA Admin GUI and report any mismatch to the current config or suggest new settings?

        Attachments

          Activity

            People

            • Assignee:
              johan Johan Eklund
              Reporter:
              johan Johan Eklund
              Verified by:
              Tomas Gustavsson
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: