Tech Thoughts: TLS version handles in outbound message (WSO2 ESB 4.9.0)

Environment:

WSO2 ESB 4.9.0

JKD version 1.8

For this explanation, I'm using 2 ESB instance. First ESB work as client (ESB-Client) and second ESB work as backend (ESB-backend), And also we assium that, ESB-backend support only TLSv1.2, ESB-Client inbound connection support only TLSv1.

According to the above scenario setup environment should be as below.

ESB-client inbound support: TLSv1
ESB-client outbound support: TLSv1.2
ESB-backend inbound support: TLSv1.2

1.) Setup ESB-client:

Change the PassThroughHttpSSLListener with HttpsProtocols as TLSv1 (axis2.xml)

.....

.....

</transportReceiver>

Note: According to the above configuration, only allow TLSv1 for the inbound connection. If you want to enable all the TLS you can set as <parameter name="HttpsProtocols">TLSv1,TLSv1.1,TLS1.2</parameter>

Change the PassThroughHttpSSLSender" with HttpsProtocols as TLSv1.2 (axis2.xml)

.....

.....

</transportSender>

2.) Set the offset to 0 (carbon.xml)

3.) Setup ESB-backend:

Change the PassThroughHttpSSLListener with HttpsProtocols as TLSv1.2 (axis2.xml)

.....

.....

</transportReceiver>

4.) Set the offset to 10 (carbon.xml)

5.) Start ESB-client using below command

./wso2server.sh -Djavax.net.debug=ssl:handshake

6.) Start ESB-backend using below command

./wso2server.sh -Djavax.net.debug=ssl:handshake

7.) Create a proxy in ESB-client as below:

<?xml version="1.0" encoding="UTF-8"?>

<send>

</endpoint>

</send>

</inSequence>

<send/>

</outSequence>

</target>

</proxy>

8. Create a proxy in ESB-bankend as below:

<?xml version="1.0" encoding="UTF-8"?>

</log>

</inSequence>

<send/>

</outSequence>

</target>

</proxy>

9.) When execute the below curl command:

curl --tlsv1 -k https://localhost:8243/services/ClientProxy

RESULT

Curl command and ESB-client connection established using TLSv1

ESB-client and ESB-backend connection established using TLSv1.2

According to the below ESB-backend ssh bebug log, we can see ESB-client connect to the ESB-backend using TLSv1.2.

HTTPS-Listener I/O dispatcher-1, READ: TLSv1.2 Handshake, length = 195

*** ClientHello, TLSv1.2

RandomCookie: GMT: 1467829123 bytes = { 68, 8, 161, 145, 218, 30, 233, 225, 106, 137, 108, 83, 158, 131, 104, 240, 27, 99, 237, 111, 233, 116, 100, 172, 83, 108, 244, 86 }

Session ID: {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods: { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]

matching alias: wso2carbon

%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]

*** ServerHello, TLSv1.2

RandomCookie: GMT: 1467829124 bytes = { 164, 82, 11, 94, 103, 6, 151, 171, 195, 215, 116, 60, 165, 185, 159, 158, 54, 183, 26, 229, 234, 237, 205, 27, 124, 178, 201, 224 }

Session ID: {87, 125, 76, 132, 13, 130, 12, 117, 153, 240, 170, 7, 165, 2, 83, 210, 185, 181, 189, 162, 207, 233, 225, 226, 198, 136, 91, 38, 112, 133, 132, 97}

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Compression Method: 0

Extension renegotiation_info, renegotiated_connection: <empty>

***

Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

*** Certificate chain

chain [0] = [

[

Version: V3

Subject: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US

Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits

modulus: 104389905404607483833617268973978551958403030832611050189027318534771307810814728550529205703172059205751609953320445343274848209020670756583725077563646900604607903910023663311613810915653018303306582401606091421622030344795635680773320452613709983992158847209499575537267530495679082469928078242466031287097

public exponent: 65537

Validity: [From: Fri Feb 19 12:32:26 IST 2010,

To: Tue Feb 13 12:32:26 IST 2035]

Issuer: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US

SerialNumber: [ 4b7e3782]

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

DigitalSignature

Non_repudiation

Key_Encipherment

Data_Encipherment

]

Algorithm: [SHA1withRSA]

Signature:

0000: 5B 9C 0F 47 B7 2B D4 B0 1D AB E2 2B 47 8E 22 42 [..G.+.....+G."B

0010: 54 46 E4 84 C2 65 76 3D 84 8D 0F CA 02 CF DA B1 TF...ev=........

0020: C0 36 1F 8F 61 F4 E6 C5 BB 8E 9F 29 0D 1B 28 4C .6..a......)..(L

0030: E8 58 C5 2D B5 B6 B9 91 D0 4D 8D 63 32 B3 E9 AE .X.-.....M.c2...

0040: 33 AB 9B 22 B9 B2 32 51 3B 87 75 0D E1 87 4F F6 3.."..2Q;.u...O.

0050: 27 22 3B 3D 26 88 11 2A FE 17 1C 40 B0 2E D2 15 '";=&..*...@....

0060: 74 06 C8 75 61 C4 B5 56 49 C8 C4 A4 B5 CC B2 B0 t..ua..VI.......

0070: 57 2F BA 13 D0 2B C4 1C FC 4F D6 AB CB 87 48 2A W/...+...O....H*

]

***

*** ECDH ServerKeyExchange

Signature Algorithm SHA512withRSA

Server key: Sun EC public key, 256 bits

public x coord: 2273830009287912014105003657821893218445575709793221206294061398109150783747

public y coord: 10380275885731840239838235858591519880276233078915520138821302657228791911824

parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)

*** ServerHelloDone

HTTPS-Listener I/O dispatcher-1, WRITE: TLSv1.2 Handshake, length = 869

HTTPS-Listener I/O dispatcher-1, READ: TLSv1.2 Handshake, length = 70

*** ECDHClientKeyExchange

10.) When you execute the below curl commands:

curl --tlsv1.1 -k https://tharanga:8243/services/ClientProxy

curl --tlsv1.2 -k https://tharanga:8243/services/ClientProxy

Then it won't established the connection with curl and ESB-client, because ESB-client only allow TLSv1 for inbound connection. Please find the below console log.

curl: (35) error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

Tech Thoughts

Wednesday, July 6, 2016

TLS version handles in outbound message (WSO2 ESB 4.9.0)

No comments:

Post a Comment