Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.0.9.Final
Affects Version/s: 1.0.8.Final
Labels:
None

Git Pull Request:
https://github.com/wildfly/wildfly-openssl/pull/69
Steps to Reproduce:
Hide

download JBoss EAP, unzip and move in the bin dir:

$ cd jboss-eap-7.3/bin

create a keystore

$ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

try to configure OpenSSL provider for SSL connections with previously generated keystore file

$ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)" $ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm="SunX509",credential-reference={clear-text=secret})" $ jboss-cli.sh --error-on-interact --connect --commands="/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=["TLSv1.2"])"

see error in the server.log file
Show
download JBoss EAP, unzip and move in the bin dir: $ cd jboss-eap-7.3/bin create a keystore $ keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret try to configure OpenSSL provider for SSL connections with previously generated keystore file $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/key-store=sslKS:add(path=server.keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)" $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/key-manager=sslKM:add(key-store=sslKS,algorithm=" SunX509 ",credential-reference={clear-text=secret})" $ jboss-cli.sh --error-on-interact --connect --commands= "/subsystem=elytron/server-ssl-context=sslSSC:add(providers=openssl,key-manager=sslKM,protocols=[" TLSv1.2 "])" see error in the server.log file

SFDC Cases Counter:
SFDC Cases Links:

When enabling SSL/TLS via OpenSSL provider using the Elytron subsystem, we've ran into following issue:

server.log

10:04:39,169 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.security.ssl-context.sslSSC: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.sslSSC: Failed to start service
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1729)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Error setting certificate (%s)
	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:278)
	at org.wildfly.openssl.OpenSSLContextSPI.engineInit(OpenSSLContextSPI.java:358)
	at javax.net.ssl.SSLContext.init(SSLContext.java:282)
	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:371)
	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:1043)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)
	... 6 more
Caused by: java.lang.IllegalStateException: Error setting certificate (%s)
	at org.wildfly.openssl.SSLImpl.setCertificate0(Native Method)
	at org.wildfly.openssl.SSLImpl.setCertificate(SSLImpl.java:598)
	at org.wildfly.openssl.OpenSSLContextSPI.init(OpenSSLContextSPI.java:225)
	... 14 more

This error occured only on RHEL8 system. It turned out that root cause is a certificate we create like this:

keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore ../standalone/configuration/server.keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

Although, system OpenSSL on RHEL8 is much stricter and key length 1024 is not strong enough. One needs to use longer keysize obviously since when we used 2048 keylength, all started to work.

This issue is about making this problem more visible to user from the log message in server.log file that is shown before. Also notice that there is a '%s' placeholder, which looks like it should be replaced by some actual error message but it was not.

clones

JBEAP-17638 (7.3.z) Enabling one-way ssl using elytron with key length < 2048 returns non user friendly error message

Verified

Details

Description

Attachments

Issue Links

Activity

People

Dates