Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-17638

(7.3.z) Enabling one-way ssl using elytron with key length < 2048 returns non user friendly error message

    XMLWordPrintable

Details

    • +
    • Hide
      1. download JBoss EAP, unzip and move in the bin dir: 
        $ cd jboss-eap-7.3/bin
      2. create a keystore 
        $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
      3. try to configure OpenSSL provider for SSL connections with previously generated keystore file 
        $ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)"
$ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm="SunX509",credential-reference={clear-text=secret})"
$ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=["TLSv1.2"])"
      4. see error in the server.log file
      Show
      download JBoss EAP, unzip and move in the bin dir: $ cd jboss-eap-7.3/bin create a keystore $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret try to configure OpenSSL provider for SSL connections with previously generated keystore file $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)" $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm=" SunX509 ",credential-reference={clear-text=secret})" $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=[" TLSv1.2 "])" see error in the server.log file

    Description

      When enabling SSL/TLS via OpenSSL provider using the Elytron subsystem, we've ran into following issue:

      server.log
      10:04:39,169 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.ssl-context.sslSSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.sslSSC: Failed to start service
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1729)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Error setting certificate (%s)
	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:278)
	at org.wildfly.openssl.OpenSSLContextSPI.engineInit(OpenSSLContextSPI.java:358)
	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:371)
	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:1043)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)
	... 6 more
Caused by: java.lang.IllegalStateException: Error setting certificate (%s)
	at org.wildfly.openssl.SSLImpl.setCertificate0(Native Method)
	at org.wildfly.openssl.SSLImpl.setCertificate(SSLImpl.java:598)
	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:225)
	... 14 more

      This error occured only on RHEL8 system. It turned out that root cause is a certificate we create like this:

      keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

      Although, system OpenSSL on RHEL8 is much stricter and key length 1024 is not strong enough. One needs to use longer keysize obviously since when we used 2048 keylength, all started to work.

      This issue is about making this problem more visible to user from the log message in server.log file that is shown before. Also notice that there is a '%s' placeholder, which looks like it should be replaced by some actual error message but it was not.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFSSL-15 Enabling one-way ssl using elytron with key length < 2048 returns non user friendly error message

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              fburzigo Fabio Burzigotti
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: