enabling ssl2 for orb listener should fail

[glassfishrobot]

asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true

Command set executed successfully.

In V2.1 we disallow this and the command will fail with message "ssl2 cannot be enabled for an iiop-listener"

Environment

Operating System: All Platform: All

Affected Versions

[V3]

[glassfishrobot]

• Issue Imported From: https://github.com/javaee/glassfish/issues/8051
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @yaminikb

[glassfishrobot]

@glassfishrobot Commented km said: Since ssl element is shared, we need to put this additional validation in the command implementation. Nachiappan knows about these commands.

[glassfishrobot]

@glassfishrobot Commented sankarpn said: V2 behavior. I don't know what is behind the prohibition of enabling ssl2 in v2, but it is not allowed.

So do the set command.

1. ./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true iiopls1 ADMVAL1034: ssl2 cannot be enabled for an iiop-listener ADMVAL1070: Create of ssl is rejected. CLI137 Command create-ssl failed.

2. ./asadmin set server.iiop-service.iiop-listener.iiopls1.ssl.ssl2-enabled=true ADMVAL1034: ssl2 cannot be enabled for an iiop-listener ADMVAL1070: Change of ssl is rejected. CLI137 Command set failed.

So if the user tries to set ssl2enabled flag to be true fail the set command.

[glassfishrobot]

@glassfishrobot Commented psterk said: Taking a look at this bug. Contacting Nachiappan Veerappan for initial strategy.

[glassfishrobot]

@glassfishrobot Commented nachi_glassfish said: Changing status to P4.

The bug description says that user should not be able to configure SSL2 for an iiop-listener because ORB does not support SSL2 protocol. The bug status is changed to P4, because even though we are able to configure SSL2 for iiop-listener in V3 the runtime has nothing to do with that. (i.e,) Though an entry is made in domain.xml (under iiop-listener) when the asadmin set server.iiop-service.iiop-listener.SSL.ssl.ssl2_enabled=true iiop-service.iiop-listener.SSL.ssl.ssl2-enabled=true is executed, the runtime is not affected.

I am currently investigating the way to do bean validation to fix the bug.

[glassfishrobot]

@glassfishrobot Commented tmueller said: Please evaluate this issue as to whether it still applies? Is SSL2 still not allowed for the IIOP listener in v3?

[glassfishrobot]

@glassfishrobot Commented kcavanaugh said: This is a security issue, not an ORB issue, because all of the CSIv2 implementation is currently external to the ORB.

[glassfishrobot]

@glassfishrobot Commented @vbkumarjayanti said: Just tried the following on V3.1

./asadmin create-ssl --type iiop-listener --certname s1as --ssl2enabled=true orb-listener-1 Command create-ssl executed successfully.

and i see the following in domain.xml

[glassfishrobot]

@glassfishrobot Commented @vbkumarjayanti said: The supported protocols in JSSE are : SSLv2Hello, SSLv3, TLSv1,

http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

The JSSE implementation in the J2SDK 1.4 and later implements SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.

So yes the validation code in create-ssl probably needs to be enabled/implemented in V3 as well. But this is not a security module bug since the security team does not own create-ssl command. Please reassign appropriately.

[glassfishrobot]

@glassfishrobot Commented Was assigned to sankarpn

[glassfishrobot]

@glassfishrobot Commented This issue was imported from java.net JIRA GLASSFISH-8051

[glassfishrobot]

@glassfishrobot Commented Reported by sankarpn

[github-actions[bot]]

This issue has been marked as inactive and old and will be closed in 7 days if there is no further activity. If you want the issue to remain open please add a comment