Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-2653

HTTPS undertow listener select cipher-suites

    XMLWordPrintable

    Details

      Description

      At the moment I don't see any way to restrict allowed cipher suites for the https listener.

      [standalone@localhost:9990 /] /core-service=management/security-realm=HttpsRealm:read-resource(recursive=true, include-defaults=true)
      {
          "outcome" => "success",
          "result" => {
              "map-groups-to-roles" => true,
              "authentication" => undefined,
              "authorization" => undefined,
              "plug-in" => undefined,
              "server-identity" => {"ssl" => {
                  "alias" => undefined,
                  "key-password" => undefined,
                  "keystore-password" => "changeit",
                  "keystore-path" => "localhost.keystore",
                  "keystore-relative-to" => "jboss.server.config.dir",
                  "protocol" => "TLS"
              }}
          }
      }
      [standalone@localhost:9990 /] /subsystem=undertow/server=default-server:read-resource(recursive=true, include-defaults=true)
      {
          "outcome" => "success",
          "result" => {
      <...>
              "https-listener" => {"https" => {
                  "allow-encoded-slash" => false,
                  "always-set-keep-alive" => true,
                  "buffer-pipelined-data" => true,
                  "buffer-pool" => "default",
                  "decode-url" => true,
                  "enabled" => true,
                  "max-cookies" => 200,
                  "max-header-size" => 51200,
                  "max-headers" => 200,
                  "max-parameters" => 1000,
                  "max-post-size" => 10485760L,
                  "security-realm" => "ApplicationRealm",
                  "socket-binding" => "https",
                  "url-charset" => "UTF-8",
                  "verify-client" => "NOT_REQUESTED",
                  "worker" => "default"
              }}
          }
      }
      

      I have tested that default cipher suites used are pretty sane except RC4-SHA and RC4-MD5. Below is full list. But I think it is important for users to be able to support more or less ciphers depending on their environment and requirements. We also need good secure default settings IMO excluding the above mentioned two ciphers. See current recommendations here [1][2]

      $ sslscan --no-failed localhost:8443
                         _
                 ___ ___| |___  ___ __ _ _ __
                / __/ __| / __|/ __/ _` | '_ \
                \__ \__ \ \__ \ (_| (_| | | | |
                |___/___/_|___/\___\__,_|_| |_|
      
                        Version 1.8.2
                   http://www.titania.co.uk
              Copyright Ian Ventura-Whiting 2009
      
      Testing SSL server localhost on port 8443
      
        Supported Server Cipher(s):
          Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
          Accepted  SSLv3  256 bits  AES256-SHA
          Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
          Accepted  SSLv3  168 bits  DES-CBC3-SHA
          Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
          Accepted  SSLv3  128 bits  AES128-SHA
          Accepted  SSLv3  128 bits  RC4-SHA
          Accepted  SSLv3  128 bits  RC4-MD5
          Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
          Accepted  TLSv1  256 bits  AES256-SHA
          Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
          Accepted  TLSv1  168 bits  DES-CBC3-SHA
          Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
          Accepted  TLSv1  128 bits  AES128-SHA
          Accepted  TLSv1  128 bits  RC4-SHA
          Accepted  TLSv1  128 bits  RC4-MD5
      

      [1] http://docs.fedoraproject.org/en-US/Fedora_Security_Team//html-single/Defensive_Coding/index.html#chap-Defensive_Coding-Tasks-Cryptography
      [2] http://docs.fedoraproject.org/en-US/Fedora_Security_Team//html-single/Defensive_Coding/index.html#sect-Defensive_Coding-TLS-Client-OpenJDK

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                ctomc Toma┼ż Cerar
                Reporter:
                akostadinov Aleksandar Kostadinov
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: