that is configured on https-listener in undertow subsystem

add this to <https-listener> element enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

Indeed, this configuration disables SSLv3.But TLSv1.1 and TLSv1.2 become disabled too. TLSv1 is available only. WildFly-8.1.0-Final. What's wrong?

ctomc wrote:

 

that is configured on https-listener in undertow subsystem

 

add this to <https-listener> element enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

That is strange, as TLS 1.1 & 1.2 should be in JDK7. Maybe some problem with jdk?

What exact jdk are you using as this is relevant in this case.

Also can you try with wildfly 8.1 or newer as in 8.0 default security provider for SSL (in most cases at least) was bouncy castle and it might have caused this.

Maybe some problem with jdk?

What exact jdk are you using as this is relevant in this case.

No JDK at all. Just JRE 1.8.0_25. Tried JRE 1.7.0_71 with the same result - TLSv1.1 and TLSv1.2 disabled.

Also can you try with wildfly 8.1

WildFly-8.1.0-Final as I told in my previous message.

that looks strange, can you try something.

configure it without spaces in between, like this: enabled-protocols="TLSv1,TLSv1.1,TLSv1.2"

looking at the code it could be a problem.

configure it without spaces in between

Yes, it was helpful! Now all three TLS versions are available.

I will send fix for this shortly.

this is the fix Trim elements in sequence options by ctomc · Pull Request #409 · wildfly/wildfly-core · GitHub

>> enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

I have a project running on Wildfly 8.0 (don't want to move to 8.1 )

Wilfy 8.0 uses undertow 1.0. The "enabled-protocols" attribute is added in undertow 1.1 (included in Wildfly 8.1.)

How do I disable SSL in Wildfly 8.0?

Robert de Leeuw wrote:

 

>> enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"

 

I have a project running on Wildfly 8.0 (don't want to move to 8.1 )

Wilfy 8.0 uses undertow 1.0. The "enabled-protocols" attribute is added in undertow 1.1 (included in Wildfly 8.1.)

 

How do I disable SSL in Wildfly 8.0?

By upgrading to 8.1, 8.2 or 9 ...

Will this also handle the recent DROWN vulnerability?

AFAIK, SSLv2 is not supported by java 8 (which is mandatory for wildfly). So DROWN doesn't impact wildfly directly. You can explicitly enable only TLS protocols to be sure

But still you are vulnerable to DROWN if wildfly share private key with another server, which enables SSLv2.

Sorry to respond to an old forum post.

I was curious if there were an option for "disabled-protocols" as an alternative to "enabled-protocols". I was recently debating (with myself) about whitelists vs blacklists in terms of maintainability and future proofing. I suppose a blacklist could get unwieldy over time but a whitelist could prevent newer protocols being used as they come out.

Based on the following, I'm guessing there is no "disabled-protocols". I'm not a frequent Wildfly user or developer, so I'm unlikely to send in a pull request, but perhaps there is somewhere else for feature requests?

wildfly-core/wildfly-config_4_0.xsd at master · wildfly/wildfly-core · GitHub