Wildfly SSL protocol (TLSv1.2) configuration

Question

I would like to know the correct way of configuring the SSL protocol on wildfly.

On looking at examples, I found two different ways of doing so. I want to know which one is the proper way of doing it -

Adding it in the protocol section as below:

<security-realm name="sslRealm">
            <server-identities>
                 <ssl protocol="TLSv1.2">

Or adding it in the https listener as below :

<https-listener name="https" socket-binding="https" security-
realm="sslRealm" enabled-protocols="TLSv1.2"/>

I'm using wildfly-8.2.0.Final.

Answer 1

Configuration options shown here apply also to Wildfly 9 and 10

The correct way is using both of them. They are intimately related, see below how.

• <https-listener ..>

  The Wildfly Undertow subsystem support enabled-protocols attribute, which is a comma separated list of protocols to be supported. For example:

  enabled-protocols="TLSv1.1,TLSv1.2"

  With just TLSv1.2, many vulnerabilities are plugged. However, by default, Wildfly support all versions of TLS (v1.0, v1.1 and v1.2) even though versions below 1.2 are considered weak.

• <server-identities />

  Here, basically, you can choose one of the previously enabled protocols.

  <security-realm name="sslRealm">
      <server-identities>
          <ssl protocol="TLSv1.2">
  

  The protocol attribute by default is set to TLS and in general does not need to be set.

Note that without any change in the default configuration, you get a https server that supports TLSv1.0, TLSv1.1 and TLSv1.2.

For checking the effects of those configurations, use this:

nmap --script ssl-enum-ciphers -p 8443 <your wildfly IP>