Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-2653

HTTPS undertow listener select cipher-suites

XMLWordPrintable

      At the moment I don't see any way to restrict allowed cipher suites for the https listener.

      [standalone@localhost:9990 /] /core-service=management/security-realm=HttpsRealm:read-resource(recursive=true, include-defaults=true)
      {
          "outcome" => "success",
          "result" => {
              "map-groups-to-roles" => true,
              "authentication" => undefined,
              "authorization" => undefined,
              "plug-in" => undefined,
              "server-identity" => {"ssl" => {
                  "alias" => undefined,
                  "key-password" => undefined,
                  "keystore-password" => "changeit",
                  "keystore-path" => "localhost.keystore",
                  "keystore-relative-to" => "jboss.server.config.dir",
                  "protocol" => "TLS"
              }}
          }
      }
      [standalone@localhost:9990 /] /subsystem=undertow/server=default-server:read-resource(recursive=true, include-defaults=true)
      {
          "outcome" => "success",
          "result" => {
      <...>
              "https-listener" => {"https" => {
                  "allow-encoded-slash" => false,
                  "always-set-keep-alive" => true,
                  "buffer-pipelined-data" => true,
                  "buffer-pool" => "default",
                  "decode-url" => true,
                  "enabled" => true,
                  "max-cookies" => 200,
                  "max-header-size" => 51200,
                  "max-headers" => 200,
                  "max-parameters" => 1000,
                  "max-post-size" => 10485760L,
                  "security-realm" => "ApplicationRealm",
                  "socket-binding" => "https",
                  "url-charset" => "UTF-8",
                  "verify-client" => "NOT_REQUESTED",
                  "worker" => "default"
              }}
          }
      }
      

      I have tested that default cipher suites used are pretty sane except RC4-SHA and RC4-MD5. Below is full list. But I think it is important for users to be able to support more or less ciphers depending on their environment and requirements. We also need good secure default settings IMO excluding the above mentioned two ciphers. See current recommendations here [1][2]

      $ sslscan --no-failed localhost:8443
                         _
                 ___ ___| |___  ___ __ _ _ __
                / __/ __| / __|/ __/ _` | '_ \
                \__ \__ \ \__ \ (_| (_| | | | |
                |___/___/_|___/\___\__,_|_| |_|
      
                        Version 1.8.2
                   http://www.titania.co.uk
              Copyright Ian Ventura-Whiting 2009
      
      Testing SSL server localhost on port 8443
      
        Supported Server Cipher(s):
          Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
          Accepted  SSLv3  256 bits  AES256-SHA
          Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
          Accepted  SSLv3  168 bits  DES-CBC3-SHA
          Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
          Accepted  SSLv3  128 bits  AES128-SHA
          Accepted  SSLv3  128 bits  RC4-SHA
          Accepted  SSLv3  128 bits  RC4-MD5
          Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
          Accepted  TLSv1  256 bits  AES256-SHA
          Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
          Accepted  TLSv1  168 bits  DES-CBC3-SHA
          Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
          Accepted  TLSv1  128 bits  AES128-SHA
          Accepted  TLSv1  128 bits  RC4-SHA
          Accepted  TLSv1  128 bits  RC4-MD5
      

      [1] http://docs.fedoraproject.org/en-US/Fedora_Security_Team//html-single/Defensive_Coding/index.html#chap-Defensive_Coding-Tasks-Cryptography
      [2] http://docs.fedoraproject.org/en-US/Fedora_Security_Team//html-single/Defensive_Coding/index.html#sect-Defensive_Coding-TLS-Client-OpenJDK

            tomazcerar Tomaž Cerar (Inactive)
            akostadi1@redhat.com Aleksandar Kostadinov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: