13 Replies Latest reply on Feb 19, 2020 1:47 AM by dcook-1

    How to disable SSLv3

    spackiaraj

      How to disable SSLv3 in Wildfly 8.0. Following configuration

      <server-identities>

      <ssl protocol="TLSv1">

      <keystore path="https.keystore" relative-to="keystore.home" keystore-password="secret" alias="https" key-password="secret" />

      </ssl>

      </server-identities>

      falls back to SSLv3, if SSLv3 requested. Is there any way I can allow only "TLSv1, TLSv1.1, TLSv1.2".

      This setting is mandatory for us to fix POODLE vulnerability

        • 1. Re: How to disable SSLv3
          ctomc

          that is configured on https-listener in undertow subsystem

           

          add this to <https-listener> element enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

          1 of 1 people found this helpful
          • 2. Re: How to disable SSLv3
            zcc39r

            enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

            Indeed, this configuration disables SSLv3.But TLSv1.1 and TLSv1.2 become disabled too. TLSv1 is available only. WildFly-8.1.0-Final. What's wrong?

            • 3. Re: How to disable SSLv3
              ctomc

              ctomc wrote:

               

              that is configured on https-listener in undertow subsystem

               

              add this to <https-listener> element enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

              That is strange, as TLS 1.1 & 1.2 should be in JDK7. Maybe some problem with jdk?

              What exact jdk are you using as this is relevant in this case.

              Also can you try with wildfly 8.1 or newer as in 8.0 default security provider for SSL (in most cases at least) was bouncy castle and it might have caused this.

              • 4. Re: How to disable SSLv3
                zcc39r

                Maybe some problem with jdk?

                What exact jdk are you using as this is relevant in this case.

                No JDK at all. Just JRE 1.8.0_25. Tried JRE 1.7.0_71 with the same result - TLSv1.1 and TLSv1.2 disabled.

                Also can you try with wildfly 8.1

                WildFly-8.1.0-Final as I told in my previous message.

                • 5. Re: How to disable SSLv3
                  ctomc

                  that looks strange, can you try something.

                  configure it without spaces in between, like this: enabled-protocols="TLSv1,TLSv1.1,TLSv1.2"

                  looking at the code it could be a problem.

                  • 6. Re: How to disable SSLv3
                    zcc39r

                    configure it without spaces in between

                    Yes, it was helpful! Now all three TLS versions are available.

                    • 7. Re: How to disable SSLv3
                      ctomc

                      I will send fix for this shortly.

                      • 8. Re: How to disable SSLv3
                        ctomc
                        • 9. Re: How to disable SSLv3
                          surfrider

                          >> enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

                           

                          I have a project running on Wildfly 8.0 (don't want to move to 8.1 )

                          Wilfy 8.0 uses undertow 1.0. The "enabled-protocols" attribute is added in undertow 1.1 (included in Wildfly 8.1.)

                           

                          How do I disable SSL in Wildfly 8.0?

                          • 10. Re: How to disable SSLv3
                            ctomc

                            Robert de Leeuw wrote:

                             

                            >> enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

                             

                            I have a project running on Wildfly 8.0 (don't want to move to 8.1 )

                            Wilfy 8.0 uses undertow 1.0. The "enabled-protocols" attribute is added in undertow 1.1 (included in Wildfly 8.1.)

                             

                            How do I disable SSL in Wildfly 8.0?

                            By upgrading to 8.1, 8.2 or 9 ...

                            • 11. Re: How to disable SSLv3
                              jasonholmberg

                              Will this also handle the recent DROWN vulnerability?

                              • 12. Re: How to disable SSLv3
                                mchoma

                                AFAIK, SSLv2 is not supported by java 8 (which is mandatory for wildfly). So DROWN doesn't impact wildfly directly. You can explicitly enable only TLS protocols to be sure

                                 

                                But still you are vulnerable to DROWN if wildfly share private key with another server, which enables SSLv2.

                                • 13. Re: How to disable SSLv3
                                  dcook-1

                                  Sorry to respond to an old forum post.

                                   

                                  I was curious if there were an option for "disabled-protocols" as an alternative to "enabled-protocols". I was recently debating (with myself) about whitelists vs blacklists in terms of maintainability and future proofing. I suppose a blacklist could get unwieldy over time but a whitelist could prevent newer protocols being used as they come out.

                                   

                                  Based on the following, I'm guessing there is no "disabled-protocols". I'm not a frequent Wildfly user or developer, so I'm unlikely to send in a pull request, but perhaps there is somewhere else for feature requests?

                                  wildfly-core/wildfly-config_4_0.xsd at master · wildfly/wildfly-core · GitHub