yes you can control this.
in undertow subsystem, attribute enabled-cipher-suites controls this.
<https-listener .... enabled-cipher-suites="TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" .../>
keep in mind that, openssl extensions like ALL or ! filtering doesn't work yet, but we plan to add support for that, see [XNIO-229] Add support for ALL expression to define the list of ciphers ands protocols more easily. - JBoss Issue Tracke… for more on that
And this setting will actually control the order in which the cipher suites are picked by the server, in addition to which cipher suites are enabled? Okay, we'll give it a try. Thanks!
This does not work. This setting controls the enabled ciphers, but it does not control the server cipher preference at all. We tested it. Additionally, this issue appears to indicate that what I want to do is not possible: [WFLY-4351] Support for server cipher suite preference - JBoss Issue Tracker
This is unfortunate.
Issue you linked will be implemented in WildFly 10, as that is when we will move to JDK8 as minimum requirement.
There is also a big set of other SSL/TLS related improvements we will bring to WF10 as result of moving to JDK8.