4

I want to explicitly enable certain cipher-suites on my WildFly application server. Therefore I tried to edit the configuration in wildflys standalone.xml.

Let's assume I want to enable the AES128-GCM-SHA256 cipher (cipher suite names from: OpenSSL documentation).

I've edited the standalone.xml file of my WildFly server like this:

<https-listener name="listener" socket-binding="https" security-realm="ssl-realm" enabled-cipher-suites="AES128-GCM-SHA256"/>

The WildFly boots up normally but when I open the page in my browser an error message appears. Chrome says:

ERR_SSL_PROTOCOL_ERROR

Firefox says:

ssl_error_internal_error_alert

I've tried this with WildFly 8.1 and 8.2.

Anybody out there who can give my an advice how to correctly enable certain cipher-suites?

Regards Tom

Tom
  • 237
  • 1
  • 2
  • 13

2 Answers2

9

You have to add a attribute called "enabled-cipher-suites" to the "https-listener" found at "subsystem undertow" -> "server". An example for this configuration can be found here.

Unfortunately this example is wrong when it comes to the value of this attribute. You must not name such things as "ALL:!MD5:!DHA" but instead some explicit cipher suites.

You have to call em by their SSL or TLS cipher suites names and not their OpenSSL names. So instead of "AES128-GCM-SHA256" you have to write "TLS_RSA_WITH_AES_128_GCM_SHA256".

To make the confusion complete you have to use "," instead of ":" as delimiter if you want to name more than one suite.

Regards Ben

Ben
  • 366
  • 1
  • 13
  • Hi Ben! Thx for your hint. As you noticed I've tried to configure the ciphers with the OpenSSL names. Your suggestion to take the other names worked perfectly for me. – Tom Feb 10 '15 at 14:18
1

I can confirm Ben's answer. The documentation for how to configure this is sparse. I would suggest the following ciphers to support: TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 in addition, the 'ALL' tag does not work and the best method is to list the ones that you wish to include and not the ones that you wish to exclude as that '!' marking does not appear to be supported.

Drew
  • 11
  • 3
  • The openssl syntax is supported in JBoss EAP, for Wildfly this would require some changes in xnio.I wrote a fix for it in https://issues.jboss.org/browse/XNIO-229 but this change never made it. I know that this should come with WildFly 9 – ehsavoie Feb 11 '15 at 08:33
  • If I use your ciphers, with Firefox I get "An error occurred during a connection to 172.19.100.141:8443. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)" – Chris Aug 27 '15 at 15:13