Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Wildfly SSL protocol (TLSv1.2) configuration

I would like to know the correct way of configuring the SSL protocol on wildfly.

On looking at examples, I found two different ways of doing so. I want to know which one is the proper way of doing it -

Adding it in the protocol section as below:

<security-realm name="sslRealm">
            <server-identities>
                 <ssl protocol="TLSv1.2">

Or adding it in the https listener as below :

<https-listener name="https" socket-binding="https" security-
realm="sslRealm" enabled-protocols="TLSv1.2"/>

I'm using wildfly-8.2.0.Final.

like image 583
Deb Avatar asked Nov 13 '15 01:11

Deb


People also ask

How do I enable TLS 1.2 on VM?

Enable the TLS 1.2 protocol. To do this, in TLS 1.2, under the Client key, create the DWORD value DisabledByDefault, and set the value to 0. Now create a DWORD value Enabled, and set the value to 1. Create the same DWORD values under the Server key.


1 Answers

Configuration options shown here apply also to Wildfly 9 and 10

The correct way is using both of them. They are intimately related, see below how.

  • <https-listener ..>

    The Wildfly Undertow subsystem support enabled-protocols attribute, which is a comma separated list of protocols to be supported. For example:

    enabled-protocols="TLSv1.1,TLSv1.2"

    With just TLSv1.2, many vulnerabilities are plugged. However, by default, Wildfly support all versions of TLS (v1.0, v1.1 and v1.2) even though versions below 1.2 are considered weak.

  • <server-identities />

    Here, basically, you can choose one of the previously enabled protocols.

    <security-realm name="sslRealm">
        <server-identities>
            <ssl protocol="TLSv1.2">
    

    The protocol attribute by default is set to TLS and in general does not need to be set.

Note that without any change in the default configuration, you get a https server that supports TLSv1.0, TLSv1.1 and TLSv1.2.

For checking the effects of those configurations, use this:

nmap --script ssl-enum-ciphers -p 8443 <your wildfly IP>
like image 137
Camilo Silva Avatar answered Oct 26 '22 04:10

Camilo Silva