4 Replies Latest reply on Mar 11, 2015 5:23 PM by ctomc

Is it possible to control server-side SSL cipher order choosing in Undertow?

mexplosion-paytronix Mar 10, 2015 12:42 PM

Hello,

In Wildfly/Undertow, for HTTPS listeners, is there any way to make the server choose which SSL cipher to use based on the order in which the ciphers are specified in the configuration? Something equivalent to the Apache SSLHonorCipherOrder setting or the Nginx ssl_prefer_server_ciphers setting, essentially.

The reason why this is, unfortunately, necessary is that our website processes credit cards and needs to be PCI compliant, which means we have to prefer RC4 ciphers over other (ostensibly more secure) ciphers due to the client-side BEAST vulnerability. Currently we have worked around this by disallowing all CBC ciphers, but aside from the fact that this is a horrible solution, I've recently come to understand that Firefox is planning to discontinue support for RC4 some time in the future. (latest FF developer edition, 38.something, has already discontinued RC4 cipher support.)

Thanks much!

-Matt

1. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?

ctomc Mar 10, 2015 5:19 PM (in response to mexplosion-paytronix)

hey,

yes you can control this.
in undertow subsystem, attribute enabled-cipher-suites controls this.
for example:
<https-listener .... enabled-cipher-suites="TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" .../>

keep in mind that, openssl extensions like ALL or ! filtering doesn't work yet, but we plan to add support for that, see [XNIO-229] Add support for ALL expression to define the list of ciphers ands protocols more easily. - JBoss Issue Tracke… for more on that
Actions
2. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?

mexplosion-paytronix Mar 10, 2015 7:02 PM (in response to ctomc)

And this setting will actually control the order in which the cipher suites are picked by the server, in addition to which cipher suites are enabled? Okay, we'll give it a try. Thanks!
Actions
3. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?

mexplosion-paytronix Mar 11, 2015 5:06 PM (in response to ctomc)

This does not work. This setting controls the enabled ciphers, but it does not control the server cipher preference at all. We tested it. Additionally, this issue appears to indicate that what I want to do is not possible: [WFLY-4351] Support for server cipher suite preference - JBoss Issue Tracker

This is unfortunate.
Actions
4. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?

ctomc Mar 11, 2015 5:23 PM (in response to mexplosion-paytronix)

Issue you linked will be implemented in WildFly 10, as that is when we will move to JDK8 as minimum requirement.
There is also a big set of other SSL/TLS related improvements we will bring to WF10 as result of moving to JDK8.
Actions

Go to original post