HTTPS undertow listener select cipher-suites -------------------------------------------- Key: WFLY-2653 URL: https://issues.jboss.org/browse/WFLY-2653 Project: WildFly Issue Type: Enhancement Security Level: Public(Everyone can see) Components: Web (Undertow) Affects Versions: 8.0.0.Beta1 Environment: fedora 18 Reporter: Aleksandar Kostadinov Assignee: Tomaz Cerar Labels: https, security, security-hardening, ssl, undertow, wildfly At the moment I don't see any way to restrict allowed cipher suites for the https listener. {CODE} [standalone@localhost:9990 /] /core-service=management/security-realm=HttpsRealm:read-resource(recursive=true, include-defaults=true) { "outcome" => "success", "result" => { "map-groups-to-roles" => true, "authentication" => undefined, "authorization" => undefined, "plug-in" => undefined, "server-identity" => {"ssl" => { "alias" => undefined, "key-password" => undefined, "keystore-password" => "changeit", "keystore-path" => "localhost.keystore", "keystore-relative-to" => "jboss.server.config.dir", "protocol" => "TLS" }} } } [standalone@localhost:9990 /] /subsystem=undertow/server=default-server:read-resource(recursive=true, include-defaults=true) { "outcome" => "success", "result" => { <...> "https-listener" => {"https" => { "allow-encoded-slash" => false, "always-set-keep-alive" => true, "buffer-pipelined-data" => true, "buffer-pool" => "default", "decode-url" => true, "enabled" => true, "max-cookies" => 200, "max-header-size" => 51200, "max-headers" => 200, "max-parameters" => 1000, "max-post-size" => 10485760L, "security-realm" => "ApplicationRealm", "socket-binding" => "https", "url-charset" => "UTF-8", "verify-client" => "NOT_REQUESTED", "worker" => "default" }} } } {CODE} I have tested that default cipher suites used are pretty sane except RC4-SHA and RC4-MD5. Below is full list. But I think it is important for users to be able to support more or less ciphers depending on their environment and requirements. We also need good secure default settings IMO excluding the above mentioned two ciphers. See current recommendations here [1][2] {CODE} $ sslscan --no-failed localhost:8443 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server localhost on port 8443 Supported Server Cipher(s): Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 {CODE}