Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4571

Value of 'soft-fail' attribute in 'elytron/trust-manager' is not propagated

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 10.0.0.Beta2
    • Fix Version/s: 10.0.0.Beta4
    • Component/s: Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Prepare certs and start ocsp responder via OpenSSL:

      mkdir certs && cd certs
      download there attached script which is used to generate necessary certificates make-certs.sh
      bash ./make-certs.sh valid-cert test@ex.com all ocsp:http://127.0.0.1:8088
      openssl ocsp -index ca.db -port 8088 -rsigner ca.pem -CA ca.pem -out ocsp_responder.out -text
      

      Prepare OCSP truststore for WildFly

      keytool -importcert -keystore ocsp-truststore.jks -storepass weneedthatforjava -alias ca -trustcacerts -file ca.crt -noprompt
      

      Prepare WildFly server

      1. setup server-ssl-context:
        ./bin/standalone.sh &
        curl https://localhost:8443 -k # perform request against server to autogenerate server certificate and keystore
        
        ./bin/jboss-cli.sh -c
        /subsystem=elytron/key-store=serverKS:add(credential-reference={clear-text=password},path=application.keystore,relative-to=jboss.server.config.dir)
        /subsystem=elytron/key-manager=serverKM:add(credential-reference={clear-text=password},key-store=serverKS)
        /subsystem=elytron/server-ssl-context=serverSslContext:add(key-manager=serverKM)
        batch
        /subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
        /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=serverSslContext)
        run-batch
        reload
        
      2. setup two-way ssl auth with 'soft-fail' set to true:
        (modify path to truststore)
        /subsystem=elytron/key-store=ocspKS:add(credential-reference={clear-text=weneedthatforjava},path=/tmp/certs/ocsp-truststore.jks)
        /subsystem=elytron/key-manager=ocspKM:add(credential-reference={clear-text=weneedthatforjava},key-store=ocspKS)
        /subsystem=elytron/trust-manager=oscpTM:add(key-store=ocspKS, soft-fail=true)
        /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=trust-manager,value=oscpTM)
        /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=need-client-auth,value=true)
        reload
        
      3. Setup OCSP check:
        /subsystem=elytron/trust-manager=oscpTM:write-attribute(name=ocsp.responder,value="http://127.0.0.1:8088")
        reload
        
      4. check that you can access server welcome-page with valid certificate when OCSP responder is active:
        curl -k https://127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem  # success
        
      5. stop OCSP responder (ctrl-c on openssl process)
      6. we expect to be able to still have access to the welcome-page as soft-fail is enabled, although this is not truth with current code:
        curl -k https://127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem  # success expected, but failed instead :(
        
      Show
      Prepare certs and start ocsp responder via OpenSSL: mkdir certs && cd certs download there attached script which is used to generate necessary certificates make-certs.sh bash ./make-certs.sh valid-cert test@ex.com all ocsp:http: //127.0.0.1:8088 openssl ocsp -index ca.db -port 8088 -rsigner ca.pem -CA ca.pem -out ocsp_responder.out -text Prepare OCSP truststore for WildFly keytool -importcert -keystore ocsp-truststore.jks -storepass weneedthatforjava -alias ca -trustcacerts -file ca.crt -noprompt Prepare WildFly server setup server-ssl-context: ./bin/standalone.sh & curl https: //localhost:8443 -k # perform request against server to autogenerate server certificate and keystore ./bin/jboss-cli.sh -c /subsystem=elytron/key-store=serverKS:add(credential-reference={clear-text=password},path=application.keystore,relative-to=jboss.server.config.dir) /subsystem=elytron/key-manager=serverKM:add(credential-reference={clear-text=password},key-store=serverKS) /subsystem=elytron/server-ssl-context=serverSslContext:add(key-manager=serverKM) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=serverSslContext) run-batch reload setup two-way ssl auth with 'soft-fail' set to true: (modify path to truststore) /subsystem=elytron/key-store=ocspKS:add(credential-reference={clear-text=weneedthatforjava},path=/tmp/certs/ocsp-truststore.jks) /subsystem=elytron/key-manager=ocspKM:add(credential-reference={clear-text=weneedthatforjava},key-store=ocspKS) /subsystem=elytron/trust-manager=oscpTM:add(key-store=ocspKS, soft-fail= true ) /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=trust-manager,value=oscpTM) /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=need-client-auth,value= true ) reload Setup OCSP check: /subsystem=elytron/trust-manager=oscpTM:write-attribute(name=ocsp.responder,value= "http: //127.0.0.1:8088" ) reload check that you can access server welcome-page with valid certificate when OCSP responder is active: curl -k https: //127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem # success stop OCSP responder (ctrl-c on openssl process) we expect to be able to still have access to the welcome-page as soft-fail is enabled, although this is not truth with current code: curl -k https: //127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem # success expected, but failed instead :(

      Description

      Value of the 'soft-fail' attribute that is used in 'trust-manager' resource is not propagated from configuration to server correctly. As such, server always thinks the value is set to 'false'. See steps to reproduce section for more details.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                jstourac Jan Stourac
                Reporter:
                jstourac Jan Stourac
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: