glassfish
  1. glassfish
  2. GLASSFISH-8051

enabling ssl2 for orb listener should fail

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: V3
    • Fix Version/s: not determined
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      8,051

      Description

      asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true
      iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true

      Command set executed successfully.

      In V2.1 we disallow this and the command will fail with message "ssl2 cannot be
      enabled for an iiop-listener"

        Activity

        Hide
        km added a comment -

        Since ssl element is shared, we need to put this additional validation in the
        command implementation. Nachiappan knows about these commands.

        Show
        km added a comment - Since ssl element is shared, we need to put this additional validation in the command implementation. Nachiappan knows about these commands.
        Hide
        sankarpn added a comment -

        V2 behavior. I don't know what is behind the prohibition of enabling ssl2 in v2,
        but it is not allowed.

        So do the set command.

        1. ./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true
          iiopls1
          ADMVAL1034: ssl2 cannot be enabled for an iiop-listener
          ADMVAL1070: Create of ssl is rejected.
          CLI137 Command create-ssl failed.
        1. ./asadmin set server.iiop-service.iiop-listener.iiopls1.ssl.ssl2-enabled=true
          ADMVAL1034: ssl2 cannot be enabled for an iiop-listener
          ADMVAL1070: Change of ssl is rejected.
          CLI137 Command set failed.

        So if the user tries to set ssl2enabled flag to be true fail the set command.

        Show
        sankarpn added a comment - V2 behavior. I don't know what is behind the prohibition of enabling ssl2 in v2, but it is not allowed. So do the set command. ./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true iiopls1 ADMVAL1034: ssl2 cannot be enabled for an iiop-listener ADMVAL1070: Create of ssl is rejected. CLI137 Command create-ssl failed. ./asadmin set server.iiop-service.iiop-listener.iiopls1.ssl.ssl2-enabled=true ADMVAL1034: ssl2 cannot be enabled for an iiop-listener ADMVAL1070: Change of ssl is rejected. CLI137 Command set failed. So if the user tries to set ssl2enabled flag to be true fail the set command.
        Hide
        psterk added a comment -

        Taking a look at this bug. Contacting Nachiappan Veerappan for initial strategy.

        Show
        psterk added a comment - Taking a look at this bug. Contacting Nachiappan Veerappan for initial strategy.
        Hide
        nachi_glassfish added a comment -

        Changing status to P4.

        The bug description says that user should not be able to configure SSL2 for an
        iiop-listener because ORB does not support SSL2 protocol.
        The bug status is changed to P4, because even though we are able to configure
        SSL2 for iiop-listener in V3 the runtime has nothing to do with that.
        (i.e,) Though an entry is made in domain.xml (under iiop-listener) when the
        asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true
        iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true is executed, the runtime is
        not affected.

        I am currently investigating the way to do bean validation to fix the bug.

        Show
        nachi_glassfish added a comment - Changing status to P4. The bug description says that user should not be able to configure SSL2 for an iiop-listener because ORB does not support SSL2 protocol. The bug status is changed to P4, because even though we are able to configure SSL2 for iiop-listener in V3 the runtime has nothing to do with that. (i.e,) Though an entry is made in domain.xml (under iiop-listener) when the asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true is executed, the runtime is not affected. I am currently investigating the way to do bean validation to fix the bug.
        Hide
        Tom Mueller added a comment -

        Please evaluate this issue as to whether it still applies?
        Is SSL2 still not allowed for the IIOP listener in v3?

        Show
        Tom Mueller added a comment - Please evaluate this issue as to whether it still applies? Is SSL2 still not allowed for the IIOP listener in v3?
        Hide
        Ken Cavanaugh added a comment -

        This is a security issue, not an ORB issue, because all of the CSIv2 implementation is
        currently external to the ORB.

        Show
        Ken Cavanaugh added a comment - This is a security issue, not an ORB issue, because all of the CSIv2 implementation is currently external to the ORB.
        Hide
        kumarjayanti added a comment -

        Just tried the following on V3.1

        ./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true orb-listener-1
        Command create-ssl executed successfully.

        and i see the following in domain.xml

        <iiop-listener port="3700" id="orb-listener-1" address="0.0.0.0" lazy-init="true">
        <ssl ssl2-enabled="true" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"></ssl>
        </iiop-listener>

        Show
        kumarjayanti added a comment - Just tried the following on V3.1 ./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true orb-listener-1 Command create-ssl executed successfully. and i see the following in domain.xml <iiop-listener port="3700" id="orb-listener-1" address="0.0.0.0" lazy-init="true"> <ssl ssl2-enabled="true" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"></ssl> </iiop-listener>
        Hide
        kumarjayanti added a comment -

        The supported protocols in JSSE are :
        SSLv2Hello,
        SSLv3,
        TLSv1,

        http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

        The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.

        So yes the validation code in create-ssl probably needs to be enabled/implemented in V3 as well. But this is not a security module bug since the security team does not own create-ssl command. Please reassign appropriately.

        Show
        kumarjayanti added a comment - The supported protocols in JSSE are : SSLv2Hello, SSLv3, TLSv1, http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0. It does not implement SSL 2.0. So yes the validation code in create-ssl probably needs to be enabled/implemented in V3 as well. But this is not a security module bug since the security team does not own create-ssl command. Please reassign appropriately.

          People

          • Assignee:
            sankarpn
            Reporter:
            sankarpn
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: