Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4571

Value of 'soft-fail' attribute in 'elytron/trust-manager' is not propagated

    XMLWordPrintable

Details

    • Hide

      Prepare certs and start ocsp responder via OpenSSL:

      mkdir certs && cd certs
download there attached script which is used to generate necessary certificates make-certs.sh
bash ./make-certs.sh valid-cert test@ex.com all ocsp:http://127.0.0.1:8088
openssl ocsp -index ca.db -port 8088 -rsigner ca.pem -CA ca.pem -out ocsp_responder.out -text

      Prepare OCSP truststore for WildFly

      keytool -importcert -keystore ocsp-truststore.jks -storepass weneedthatforjava -alias ca -trustcacerts -file ca.crt -noprompt

      Prepare WildFly server

      1. setup server-ssl-context: 
        ./bin/standalone.sh &
curl https://localhost:8443 -k # perform request against server to autogenerate server certificate and keystore

./bin/jboss-cli.sh -c
/subsystem=elytron/key-store=serverKS:add(credential-reference={clear-text=password},path=application.keystore,relative-to=jboss.server.config.dir)
/subsystem=elytron/key-manager=serverKM:add(credential-reference={clear-text=password},key-store=serverKS)
/subsystem=elytron/server-ssl-context=serverSslContext:add(key-manager=serverKM)
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=serverSslContext)
run-batch
reload
      2. setup two-way ssl auth with 'soft-fail' set to true: 
        (modify path to truststore)
/subsystem=elytron/key-store=ocspKS:add(credential-reference={clear-text=weneedthatforjava},path=/tmp/certs/ocsp-truststore.jks)
/subsystem=elytron/key-manager=ocspKM:add(credential-reference={clear-text=weneedthatforjava},key-store=ocspKS)
/subsystem=elytron/trust-manager=oscpTM:add(key-store=ocspKS, soft-fail=true)
/subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=trust-manager,value=oscpTM)
/subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=need-client-auth,value=true)
reload
      3. Setup OCSP check: 
        /subsystem=elytron/trust-manager=oscpTM:write-attribute(name=ocsp.responder,value="http://127.0.0.1:8088")
reload
      4. check that you can access server welcome-page with valid certificate when OCSP responder is active: 
        curl -k https://127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem  # success
      5. stop OCSP responder (ctrl-c on openssl process)
      6. we expect to be able to still have access to the welcome-page as soft-fail is enabled, although this is not truth with current code: 
        curl -k https://127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem  # success expected, but failed instead :(
      Show
      Prepare certs and start ocsp responder via OpenSSL: mkdir certs && cd certs download there attached script which is used to generate necessary certificates make-certs.sh bash ./make-certs.sh valid-cert test@ex.com all ocsp:http: //127.0.0.1:8088 openssl ocsp -index ca.db -port 8088 -rsigner ca.pem -CA ca.pem -out ocsp_responder.out -text Prepare OCSP truststore for WildFly keytool -importcert -keystore ocsp-truststore.jks -storepass weneedthatforjava -alias ca -trustcacerts -file ca.crt -noprompt Prepare WildFly server setup server-ssl-context: ./bin/standalone.sh & curl https: //localhost:8443 -k # perform request against server to autogenerate server certificate and keystore ./bin/jboss-cli.sh -c /subsystem=elytron/key-store=serverKS:add(credential-reference={clear-text=password},path=application.keystore,relative-to=jboss.server.config.dir) /subsystem=elytron/key-manager=serverKM:add(credential-reference={clear-text=password},key-store=serverKS) /subsystem=elytron/server-ssl-context=serverSslContext:add(key-manager=serverKM) batch /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=serverSslContext) run-batch reload setup two-way ssl auth with 'soft-fail' set to true: (modify path to truststore) /subsystem=elytron/key-store=ocspKS:add(credential-reference={clear-text=weneedthatforjava},path=/tmp/certs/ocsp-truststore.jks) /subsystem=elytron/key-manager=ocspKM:add(credential-reference={clear-text=weneedthatforjava},key-store=ocspKS) /subsystem=elytron/trust-manager=oscpTM:add(key-store=ocspKS, soft-fail= true ) /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=trust-manager,value=oscpTM) /subsystem=elytron/server-ssl-context=serverSslContext:write-attribute(name=need-client-auth,value= true ) reload Setup OCSP check: /subsystem=elytron/trust-manager=oscpTM:write-attribute(name=ocsp.responder,value= "http: //127.0.0.1:8088" ) reload check that you can access server welcome-page with valid certificate when OCSP responder is active: curl -k https: //127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem # success stop OCSP responder (ctrl-c on openssl process) we expect to be able to still have access to the welcome-page as soft-fail is enabled, although this is not truth with current code: curl -k https: //127.0.0.1:8443 --key valid-cert.key --cert valid-cert.pem # success expected, but failed instead :(

    Description

      Value of the 'soft-fail' attribute that is used in 'trust-manager' resource is not propagated from configuration to server correctly. As such, server always thinks the value is set to 'false'. See steps to reproduce section for more details.

      Attachments

        Activity

          People

            jstourac@redhat.com Jan Stourac
            jstourac@redhat.com Jan Stourac
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: