[GLASSFISH-8051] enabling ssl2 for orb listener should fail Created: 28/Apr/09  Updated: 27/Mar/13

Status: Open
Project: glassfish
Component/s: security
Affects Version/s: V3
Fix Version/s: not determined

Type: Bug Priority: Minor
Reporter: sankarpn Assignee: sankarpn
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


Issuezilla Id: 8,051

 Description   

asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true
iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true

Command set executed successfully.

In V2.1 we disallow this and the command will fail with message "ssl2 cannot be
enabled for an iiop-listener"



 Comments   
Comment by km [ 23/Sep/09 ]

Since ssl element is shared, we need to put this additional validation in the
command implementation. Nachiappan knows about these commands.

Comment by sankarpn [ 28/Oct/09 ]

V2 behavior. I don't know what is behind the prohibition of enabling ssl2 in v2,
but it is not allowed.

So do the set command.

  1. ./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true
    iiopls1
    ADMVAL1034: ssl2 cannot be enabled for an iiop-listener
    ADMVAL1070: Create of ssl is rejected.
    CLI137 Command create-ssl failed.
  1. ./asadmin set server.iiop-service.iiop-listener.iiopls1.ssl.ssl2-enabled=true
    ADMVAL1034: ssl2 cannot be enabled for an iiop-listener
    ADMVAL1070: Change of ssl is rejected.
    CLI137 Command set failed.

So if the user tries to set ssl2enabled flag to be true fail the set command.

Comment by psterk [ 29/Oct/09 ]

Taking a look at this bug. Contacting Nachiappan Veerappan for initial strategy.

Comment by nachi_glassfish [ 29/Oct/09 ]

Changing status to P4.

The bug description says that user should not be able to configure SSL2 for an
iiop-listener because ORB does not support SSL2 protocol.
The bug status is changed to P4, because even though we are able to configure
SSL2 for iiop-listener in V3 the runtime has nothing to do with that.
(i.e,) Though an entry is made in domain.xml (under iiop-listener) when the
asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true
iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true is executed, the runtime is
not affected.

I am currently investigating the way to do bean validation to fix the bug.

Comment by Tom Mueller [ 14/Feb/11 ]

Please evaluate this issue as to whether it still applies?
Is SSL2 still not allowed for the IIOP listener in v3?

Comment by Ken Cavanaugh [ 14/Feb/11 ]

This is a security issue, not an ORB issue, because all of the CSIv2 implementation is
currently external to the ORB.

Comment by kumarjayanti [ 14/Feb/11 ]

Just tried the following on V3.1

./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true orb-listener-1
Command create-ssl executed successfully.

and i see the following in domain.xml

<iiop-listener port="3700" id="orb-listener-1" address="0.0.0.0" lazy-init="true">
<ssl ssl2-enabled="true" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"></ssl>
</iiop-listener>

Comment by kumarjayanti [ 14/Feb/11 ]

The supported protocols in JSSE are :
SSLv2Hello,
SSLv3,
TLSv1,

http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.

So yes the validation code in create-ssl probably needs to be enabled/implemented in V3 as well. But this is not a security module bug since the security team does not own create-ssl command. Please reassign appropriately.





Generated at Sat Apr 18 15:12:53 UTC 2015 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.