-
1. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?
ctomc Mar 10, 2015 5:19 PM (in response to mexplosion-paytronix)hey,
yes you can control this.
in undertow subsystem, attribute enabled-cipher-suites controls this.
for example:
<https-listener .... enabled-cipher-suites="TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" .../>
keep in mind that, openssl extensions like ALL or ! filtering doesn't work yet, but we plan to add support for that, see [XNIO-229] Add support for ALL expression to define the list of ciphers ands protocols more easily. - JBoss Issue Tracke… for more on that
-
2. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?
mexplosion-paytronix Mar 10, 2015 7:02 PM (in response to ctomc)And this setting will actually control the order in which the cipher suites are picked by the server, in addition to which cipher suites are enabled? Okay, we'll give it a try. Thanks!
-
3. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?
mexplosion-paytronix Mar 11, 2015 5:06 PM (in response to ctomc)This does not work. This setting controls the enabled ciphers, but it does not control the server cipher preference at all. We tested it. Additionally, this issue appears to indicate that what I want to do is not possible: [WFLY-4351] Support for server cipher suite preference - JBoss Issue Tracker
This is unfortunate.
-
4. Re: Is it possible to control server-side SSL cipher order choosing in Undertow?
ctomc Mar 11, 2015 5:23 PM (in response to mexplosion-paytronix)Issue you linked will be implemented in WildFly 10, as that is when we will move to JDK8 as minimum requirement.
There is also a big set of other SSL/TLS related improvements we will bring to WF10 as result of moving to JDK8.