Tuesday, 10 April 2012

Jboss 7, HTTPS and EC browser support

While messing around with Jboss AS 7.1 at work I've made some discoveries.

1. JDK7 supports EC key algorithm
./jdk1.7.0_03/bin/keytool -v -genkey -alias https -keyalg EC -keystore /opt/jboss/https.keystore -keysize 409 -validity 730 -dname "CN=*.example.com, OU=TW, O=Home, L=OL, ST=WiM, C=PL" -storepass s0m3p15s -keypass S0m3p15s

max size is -keysize 571

2. Firefox (14.0a1) also supports EC .. partially - only keys generated with -keysize 256 and -keysize 384

3. Opera (12 alpha) doesn't support EC keys at all :(.


To use keys generated with keytool
keytool -v -genkey -alias https -keyalg DSA -keystore /opt/httpdsa.keystore -keysize 1024  -validity 730 -dname "CN=my.domain.com, OU=Lap, O=Home, L=City, ST=State, C=UK" -storepass s0m3Pa5s -keypass s0m3Pa5s

Subsytem must be set : native="false"

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="ssl" key-alias="https" password="s0m3Pa5s" certificate-key-file="/opt/httpdsa.keystore" protocol="TLSv1" verify-client="false"/>
  </connector>
</subsystem>



To use keys generated with openssl
Subsytem must be set : native="true"

<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="true">
  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
      <ssl certificate-key-file="/opt/https-rsa4key.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-rsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>
  </connector>
</subsystem>


Generating RSA keys with password

openssl genrsa -des3 -out https-rsa4key.pem 4096
openssl req -new -key https-rsa4key.pem  -out https.csr
openssl x509 -req -days 720 -in https.csr -signkey https-rsa4key.pem -out https-rsacert.pem

To test if browser can handle keys types/size - type password (set at runinng `openssl genrsa...`) when asked
openssl s_server -www -accept 443 -cert https-rsacert.pem -key https-rsa4key.pem

To use in Jboss AS7 standalone.xml (don't froget password="S0m3Pa5s"):
<ssl password="S0m3Pa5s" certificate-key-file="/opt/https-rsa4key.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-rsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>


I've managed to get Jboss AS7.1 to start with openssl DSA keys

openssl dsaparam -out dsaparam 1024
openssl gendsa -out https-dsa.pem dsaparam
openssl req -new -key https-dsa.pem -out https.csr
openssl x509 -req -days 720 -in https.csr -signkey https-dsa.pem -out https-dsacert.pem

To test if browser can handle keys types/size
openssl s_server -www -accept 443 -cert https-dsacert.pem -key https-dsa.pem

and in standalone.xml
<ssl certificate-key-file="/opt/https-dsa.pem" protocol="TLSv1" verify-client="false" certificate-file="/opt/https-dsacert.pem" keystore-type="PKCS12" truststore-type="PKCS12"/>

1 comment:

  1. Attractive blog for Technical information.Thanks for sharing your views! For Help and support of laptop,computer ,software etc visit this link:-
    We24support Services

    ReplyDelete