You can check the security guide at this location.
First you have to enable secure listener. You do it in two files:
etc/org.ops4j.pax.web.cfg, where you need two new properties (according to OSGi CMPN Http Service specification):
org.osgi.service.http.port.secure = 8443
org.osgi.service.http.secure.enabled = true
you of course need a keystore/truststore (could be the same or separate). Copy it for example to etc/server.keystore.
Finally you need changes in etc/undertow.xml.
- Uncomment https-listener:
<https-listener name="https" socket-binding="https"
security-realm="https" verify-client="NOT_REQUESTED" />
- Ensure correct location/credential for the keystore:
<w:keystore path="${karaf.etc}/server.keystore" provider="JKS" alias="server"
keystore-password="secret" key-password="secret"
- Ensure correct location/credential for the truststore (could be the same file):
<w:truststore path="${karaf.etc}/server.truststore" provider="JKS"
keystore-password="secret" />
- Ensure that
secure interface is uncommented:
<interface name="secure">
<w:inet-address value="0.0.0.0" />
</interface>
- Uncomment secure socket binding:
<socket-binding name="https" interface="secure"
port="${org.osgi.service.http.port.secure}" />
Now when you restart Fuse 7.2 you'll have secure listener at port 8443.
However there's one more thing. Undertow TLS engine configuration is (by default):
<w:engine
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
enabled-protocols="TLSv1 TLSv1.1 TLSv1.2" />
However TLS_ECDHE_* suites are strong for TLS 1.2 and not necessarily supported (in combination) by some clients (browsers). You can already connect to such Fuse instance using for example:
$ openssl s_client -connect 127.0.0.1:8443 -debug -tls1_2 -ciphersuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
CONNECTED(00000003)
...
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1691 bytes and written 386 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
...
You can't now use TLS 1.3:
$ openssl s_client -connect 127.0.0.1:8443 -tls1_3 -debug
CONNECTED(00000003)
write to 0x562ac4785740 [0x562ac479cb90] (215 bytes => 215 (0xD7))
0000 - 16 03 01 00 d2 01 00 00-ce 03 03 12 4c a3 cb de ............L...
0010 - 46 95 45 07 5b 86 05 d0-69 20 3c e2 70 9f 0f 99 F.E.[...i <.p...
...
New, (NONE), Cipher is (NONE)
...
First you have to change enabled protocols in the engine (etc/undertow.xml):
enabled-protocols="TLSv1.3"
but if you add (to etc/system.properties):
javax.net.debug=all
you'll see something like:
javax.net.ssl|FINE|6F|XNIO-4 I/O-8|2021-03-17 07:46:46.011 CET|Logger.java:765|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLS13
javax.net.ssl|FINE|6F|XNIO-4 I/O-8|2021-03-17 07:46:46.011 CET|Logger.java:765|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS13
So looks like the remaining thing is to find proper cipher suites for TLS 1.3. One of such suites is TLS_AES_256_GCM_SHA384, so if you use:
enabled-cipher-suites="TLS_AES_256_GCM_SHA384"
you'll successfully connect - both using browser and openssl:
$ openssl s_client -connect 127.0.0.1:8443 -tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384
CONNECTED(00000003)
...
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1906 bytes and written 640 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
...
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
...
And just one more thing. You have to use JDK 8 that supports TLS 1.3, which is:
- at least Oracle JDK 1.8.0_261
- at least OpenJDK 8u272
