I would like to prioritize cipher suites so I can implement perfect forward secrecy. I am not sure if this is feasible in GlassFish or Payara. We are currently running Payara Server 4.1.1.154.
Asked
Active
Viewed 998 times
1 Answers
2
You can do that by selecting which cipher suites should be used. You have to specify the suites in the order of priority.
The Admin Console doesn't provide UI to order the selected cipher suites but you can work around it by selecting cipher suites one by one - additional suites are added at the end of the list and the order is preserved. If you want to use all available suites, you still need to select all of them one by one.
For HTTPS listeners, you would configure it with Admin Console in the SSL tab of HTTP Service -> Http Listeners -> http-listener-2 (or another listener):
Alternatively, you can specify the cipher suites using the asadmin tool:
asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.ssl3-tls-ciphers=+SSL_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA
Again, the order of suites is preserved.
In case you need to set the order of ciphers for communication with the cluster of servers, you should configure the Admin Service instead.
OndroMih
- 136
- 5
-
Thanks for the answer! Is there a way to enforce server preferred order of the cipher suites, similar to the SSLHonorCipherOrder option in Tomcat? Unfortunately when I scan my site with SSL labs I get an A- because it states that the server has no preference of cipher suites, thus not enabling perfect forward secrecy. However if you scan Google theirs does show a server preference and they have a grade of A. – Blegger Oct 22 '17 at 22:36
-
I didn't realize you need to specify the order of ciphers for the HTTP listener and I previously guided to do it fo Admin Service. I updated my answer for HTTP listeners. – OndroMih Oct 24 '17 at 22:34