How to enable certain cipher-suites in WildFly?

Tom picture Tom · Feb 10, 2015 · Viewed 10k times · Source

I want to explicitly enable certain cipher-suites on my WildFly application server. Therefore I tried to edit the configuration in wildflys standalone.xml.

Let's assume I want to enable the AES128-GCM-SHA256 cipher (cipher suite names from: OpenSSL documentation).

I've edited the standalone.xml file of my WildFly server like this:

<https-listener name="listener" socket-binding="https" security-realm="ssl-realm" enabled-cipher-suites="AES128-GCM-SHA256"/>

The WildFly boots up normally but when I open the page in my browser an error message appears. Chrome says:

ERR_SSL_PROTOCOL_ERROR

Firefox says:

ssl_error_internal_error_alert

I've tried this with WildFly 8.1 and 8.2.

Anybody out there who can give my an advice how to correctly enable certain cipher-suites?

Regards Tom

Answer

Ben picture Ben · Feb 10, 2015

You have to add a attribute called "enabled-cipher-suites" to the "https-listener" found at "subsystem undertow" -> "server". An example for this configuration can be found here.

Unfortunately this example is wrong when it comes to the value of this attribute. You must not name such things as "ALL:!MD5:!DHA" but instead some explicit cipher suites.

You have to call em by their SSL or TLS cipher suites names and not their OpenSSL names. So instead of "AES128-GCM-SHA256" you have to write "TLS_RSA_WITH_AES_128_GCM_SHA256".

To make the confusion complete you have to use "," instead of ":" as delimiter if you want to name more than one suite.

Regards Ben