Login/Register
Wildfly SSL protocol (TLSv1.2) configuration
Asked Answered
S

1

8

I would like to know the correct way of configuring the SSL protocol on wildfly.

On looking at examples, I found two different ways of doing so. I want to know which one is the proper way of doing it -

Adding it in the protocol section as below:

<security-realm name="sslRealm">
            <server-identities>
                 <ssl protocol="TLSv1.2">

Or adding it in the https listener as below :

<https-listener name="https" socket-binding="https" security-
realm="sslRealm" enabled-protocols="TLSv1.2"/>

I'm using wildfly-8.2.0.Final.

Sudatorium answered 13/11, 2015 at 1:23 Comment(2)
Hi Deb! Welcome to StackOverflow! Here, we usually don't include things like "Thanks" at the end of our questions, because they are just assumed. :) It cleans up the questions a little, making them quicker to read. Because of this community rule, I just edited your question quickly. Good luck with your question! :)Flaunch
Do you find any applicable approach to solve your problem?J
A
6

Configuration options shown here apply also to Wildfly 9 and 10

The correct way is using both of them. They are intimately related, see below how.

  • <https-listener ..>

    The Wildfly Undertow subsystem support enabled-protocols attribute, which is a comma separated list of protocols to be supported. For example:

    enabled-protocols="TLSv1.1,TLSv1.2"

    With just TLSv1.2, many vulnerabilities are plugged. However, by default, Wildfly support all versions of TLS (v1.0, v1.1 and v1.2) even though versions below 1.2 are considered weak.

  • <server-identities />

    Here, basically, you can choose one of the previously enabled protocols.

    <security-realm name="sslRealm">
        <server-identities>
            <ssl protocol="TLSv1.2">
    

    The protocol attribute by default is set to TLS and in general does not need to be set.

Note that without any change in the default configuration, you get a https server that supports TLSv1.0, TLSv1.1 and TLSv1.2.

For checking the effects of those configurations, use this:

nmap --script ssl-enum-ciphers -p 8443 <your wildfly IP>
Antihero answered 5/9, 2017 at 0:36 Comment(1)
That nmap script ssl-enum-ciphers is very nice to know aboutConducive

© 2022 - 2024 — McMap. All rights reserved.