In Wildfly 8, we were able to add multiple entries to the 'enabled-cipher-suites' property of the https-listener element in the standalone-full.xml file.

( e.g.

<subsystem xmlns="urn:jboss:domain:undertow:2.0">

            <buffer-cache name="default"/>

            <server name="default-server">

                <http-listener name="default" socket-binding="http"/>

                <https-listener socket-binding="https" security-realm="ApplicationRealm" enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"/>

)

Changing the property manually (with comma separators) in the standalone-full.xml file creates no problem, both those ciphers would be enabled. So it's not a problem with what Wildfly is expecting.

It's when it's entered via jboss-cli during our install process. If we try and put in these values via jboss-cli using the exact same syntax that worked in Wildfly 8, we get this error:

WFLYCTL0097: Wrong type for enabled-cipher-suites. Expected [EXPRESSION, STRING] but was LIST

I've tried all manner of escaping, even using colons, but jboss-cli seems to keep mucking it up or rejecting it. Trying to separate the cipher suites by a space results in all the spaces being ignored and one massive string.

This is what was used in Wildfly 8 which produced perfectly a perfectly valid standalone-full.xml

/subsystem=undertow/server=default-server/https-listener=default-https:add(enabled-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384\,TLS_RSA_WITH_3DES_EDE_CBC_SHA,security-realm=ApplicationRealm,socket-binding=https)

What is the syntax now, in Wildfly 9?