javassljbosswildflyhandshake

wildfly/jboss (WildFly Core 17.0.3.Final) handskake failure with a GM protocol named GMTLSv1

i am facing a problem, i want to config a ssl with GMTLS protocol,i have success config ssl with TLSV1.2.

the wireshark shows like that

TLSV1.2

GMTLSV1

For Wildfly/Jboss can establish GMTLS ssl connection , i have done

  1. add some properties in standalone.xml
<tls>
    <key-stores>
        <key-store name="customKS">
            <credential-reference clear-text="password"/>
            <implementation type="PKCS12"/>
            <file path="sm2.localhost.both.pfx" relative-to="jboss.server.config.dir"/>
        </key-store>
    </key-stores>
    <key-managers>
        <key-manager name="customKM" key-store="customKS" provider-name="GMJCE" algorithm="SunX509">
            <credential-reference clear-text="passowrd"/>
        </key-manager>
    </key-managers>
    <server-ssl-context name="customSSC" key-manager="customKM" provider-name="GMJSSE" protocols="GMSSLv1.1" />
    </server-ssl-contexts>
</tls>

...

<https-listener name="https" socket-binding="https" ssl-context="customSSC" enable-http2="true"/>
  1. let wildfly source code support GMSSLV1.1 protocol

IN class SSLDefinitions ALLOWED_PROTOCOLS add string "GMSSLv1.1" line 231

private static final String[] ALLOWED_PROTOCOLS = { "SSLv2", "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" , "GMSSLv1.1" };

In enum class Protocol add a constant line 15

  SSLv2("SSLV2"),
  SSLv3("SSLV3"),
  TLSv1("TLSV1"),
  TLSv1_1("TLSV1.1"),
  TLSv1_2("TLSV1.2"),
  TLSv1_3("TLSV1.3"),
  GMSSLv1_1("GMSSLV1.1"),
  SSLv2Hello("SSLV2HELLO");

when i have finish above things, the server start normally. The http uri visited successfully,but the https uri can't arrive, i use wireshark to capture package it show handshake failure. i don't know what's wrrog have happened!

Solution

  • I have solved this problem.

    The core problem is handshake failure.

    To build an SSL channel, we need a keystore and a GMSSL type of SSLContext. Then we need to perform the handshake, but it fails. The problem is happening in ciphersuite. At WildFly Core 17.0.3.Final, the default ciphersuite is for TLS1.3, but what I need is GMTSL. So I need to add my own ciphersuite.

    1. Add ciphersuite in TLS13MechanismDatabase.properties
    ECC_SM4_CBC_SM3 = ECC_SM4_CBC_SM3,ANY,ANY,AES128CCM8,AEAD,TLSv1.3,false,HIGH,false,128,128,13,05
    1. Edit standalone.xml: add cipher-suite-names
    <server-ssl-context name="customSSC" key-manager="customKM" provider-name="GMJSSE" protocols="GMSSLv1.1" cipher-suite-names="ECC_SM4_CBC_SM3"/>

    Run the server

    Wireshark output:

    GMSSL handshake success