-
1. Re: Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
mchoma Sep 22, 2016 8:55 AM (in response to aehn62)Wildfly rely on java in this case. So you have to check that:
- your version of java supports it
- in case you are using Oracle java, you use "Unlimited Strength Jurisdiction Policy" as default java is limited to AES 128
- you use proper keystore.
For example, I would say most often used RSA private keys, can't be used for TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
2. Re: Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
aehn62 Sep 22, 2016 9:56 AM (in response to mchoma)Hallo,
thank you for your answer. I have checked you suggestions with the folowing results:
- my java version is: jdk1.8.0_73 (Oracle)
- I have installed the Extention Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 8.
- I use a proper keystore file (Java Kestore File in .jkf-Format). Using RSA-Cryptographie the SSL works fine (I have test ist before).
In my case i have a special embedded device with low hardware resources. This device supports only Eliptic Curve Cryptograpie. and Only this two cipher suits:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
I have checked the installed cipher suits in java using this instruction: List ciphers used by JVM - Atlassian Documentation
(All suites marked with the character * are available). The suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is available, this one would be sufficient in my scenario.
Here the list of available suits in JVM:
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_NULL_SHA * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_NULL_SHA * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_NULL_SHA * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_NULL_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_NULL_SHA256 In Wildfly the called suite is still not available.
Do you habe any idea why?
-
3. Re: Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
mchoma Sep 22, 2016 11:26 AM (in response to aehn62)1. "Using RSA-Cryptographie the SSL works fine (I have test ist before)"
Does that mean you already managed to run with https for TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with your current RSA private key?
2. "Ignoring unavailable cipher suite:" is in fact java message
Which else are ignored? Could you probably attach log with -Djavax.net.debug=all turn on?
3. Could you post configuration of ApplicationRealm?
4. You can also use /subsystem=logging/logger=org.wildfly.security:add(level=ALL) to add some more logging on cipher suite selection.