2 Replies Latest reply: May 23, 2011 12:28 PM by Remy Maucherat RSS

AS7:  Web Subsystem: JSSE/OpenSSL Settings

Anil Saldhana Master

This thread is to capture the effort to derive a common configuration that can be used for both JSSE and OpenSSL. This is currently evident in the web subsystem  (File: org.jboss.as.web.WebConnectorService)

 

Background

JFClere did background work on finding the settings for both jsse and openssl for the web subsystem. But since this is cross-cutting, we need the same for security subsystem also.


https://github.com/jbossas/jboss-as/blob/master/web/src/main/resources/schema/jboss-web.xsd

 

sslType covers both JSSE and OpenSSL

 

Open SSL Settings:

 

PASSWORD:setSSLPassword

CERTIFICATE_KEY_FILE:setSSLCertificateKeyFile

CIPHER_SUITE:setSSLCipherSuite

PROTOCOL:setSSLProtocol

VERIFY_CLIENT:setSSLVerifyClient

VERIFY_DEPTH:setSSLVerifyDepth

CERTIFICATE_FILE:setSSLCertificateFile

CA_CERTIFICATE_FILE:setSSLCACertificateFile

CA_REVOCATION_URL:setSSLCARevocationFile"

 

JSSE Settings:

 

 

KEY_ALIAS:setKeyAlias

PASSWORD:setKeypass

CERTIFICATE_KEY_FILE:setKeystore

CIPHER_SUITE:setCiphers

PROTOCOL:setProtocols

VERIFY_CLIENT:setClientauth

SESSION_CACHE_SIZE:setAttribute

SESSION_TIMEOUT:setAttribute

 

 

What is common between these two settings?

  • Password
  • Certificate Key File
  • Cipher Suite
  • Protocol
  • Verify Client

 

Proposal (to be Finalized)

 

Proposal 1:  The common settings are typed as elements. Rest are placed as properties. 

 

<ssl binding="jsse">
 <password></password>
 <certKeyFile/>
 <cipherSuite/>
 <protocol/>
 <verifyClient/>
 <property name="x" value="y"/>
 <property name="a" value="b"/>
</ssl>

<ssl binding="openssl">
 <password></password>
 <certKeyFile/>
 <cipherSuite/>
 <protocol/>
 <verifyClient/>
 <property name="x" value="y"/>
 <property name="a" value="b"/>
</ssl>

 

NOTE:  the binding of jsse will be made the default. So no need to specify it if you are using jsse.

 

 

Proposal 2:  For the non-common set of elements, we use xsd:choice between jsse and openssl settings which each get a xsd:sequence of elements.

 

Proposal 3:   Copy the sslType from the web xsd into the security xsd.   Then introduce the concept of reference in sslType to refer to sslType defined in another subsystem (namely security). That way, the subsystem can define the settings inline if it chooses to.

  • 1. AS7:  Web Subsystem: JSSE/OpenSSL Settings
    Anil Saldhana Master

    We need some hook in the AS that will take in a bunch of Security Properties (Not JSSE)  and do the following calls (in priv blocks of course):

     

    Security.setProperty(key,value)

  • 2. AS7:  Web Subsystem: JSSE/OpenSSL Settings
    Remy Maucherat Novice

    I have objections to that plan. Usually, SSL configuration for web is more involved, and more security risk prone, which means updates sometimes. This would result in multiple components getting updates.

    Another issue is the incompatibility between the OpenSSL configuration (usable only by the web component for the forseeable future) and the JSSE configuration.

     

     

    So I don't see much sharing. Or to put it another way, there's a lot of sharing possible for everything *but* the web component.