Wildfly SSL Protocol Configuration (TLSv1.2)

Question

I would like to know the correct way to configure SSL protocol on wildfly.

Looking at the examples, I found two different ways to do this. I want to know which one is the right way -

Adding it to the protocol section as shown below:

<security-realm name="sslRealm"> <server-identities> <ssl protocol="TLSv1.2">

Or add it to your https listener as shown below:

 <https-listener name="https" socket-binding="https" security- realm="sslRealm" enabled-protocols="TLSv1.2"/>

I am using wildfly.8.2.0.Final.

+6

Deb Nov 13 '15 at 1:23

1 answer

Camilo silva · Answer 1 · 2017-09-05T00:36:09+0000

The configuration options shown here also apply to Wildfly 9 and 10.

The correct way is to use both of them. They are closely related to each other, see below how.

<https-listener ..>
The Wildfly Undertow subclass subsystem supports the enabled-protocols attribute, which is a list of protocols supported by commas. For instance:
enabled-protocols="TLSv1.1,TLSv1.2"
Only with TLSv1.2 many vulnerabilities are connected. However, by default, Wildfly supports all versions of TLS (v1.0, v1.1, and v1.2), although versions below 1.2 are considered weak.
<server-identities />
Here, basically, you can choose one of the previously included protocols.
```
 <security-realm name="sslRealm"> <server-identities> <ssl protocol="TLSv1.2"> 
```
The protocol attribute is set to TLS by default and does not need to be set at all.

Please note that without any changes to the default configuration, you get an https server that supports TLSv1.0, TLSv1.1 and TLSv1.2.

To verify the effects of these configurations, use the following:

 nmap --script ssl-enum-ciphers -p 8443 <your wildfly IP>