3 Replies Latest reply on Sep 22, 2016 11:26 AM by Martin Choma

    Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    Alexander Ehnes Newbie

      Hallo together,

       

      i have a problem to enable TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite in Wildfly 10.

       

      The folowing setting i have tried until now:

       

      first of all i configured TLSv1.2 as Transport layer security.

      This configuration works fine.

      In the next step i checked supported cipher suites.

      For my test scenario i need only the support of the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite. 

      So i disabled all other cipher suites and enabled only this one. I have done this by applying the following https-listener configuration:

      • <https-listener name="https" enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" enabled-protocols="TLSv1.2" security-realm="ApplicationRealm" socket-binding="https"/>

       

      After the configuration, no cipher suites are supported (i have tested it using sslscan).

      applying the -Djavax.net.debug=ssl parameter i get the message:

      • Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

       

      I have expected the called cipher suite is enabled after the configuration.

       

      so my questions are

      * Is the cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 supported by wildfly.

      * How can i enable this (when it ist supported and when it is not supported)

       

      Can anybody help me?

       

      Thanks and Kind regards

        • 1. Re: Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          Martin Choma Expert

          Wildfly rely on java in this case. So you have to check that:

          - your version of java supports it

          - in case you are using Oracle java, you use "Unlimited Strength Jurisdiction Policy" as default java is limited to AES 128

          - you use proper keystore. 

           

          For example, I would say most often used RSA private keys, can't be used for TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

          • 2. Re: Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            Alexander Ehnes Newbie

            Hallo,

             

            thank you for your answer. I have checked you suggestions with the folowing results:

             

            - my java version is: jdk1.8.0_73 (Oracle)

             

            - I have installed the Extention Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 8.

             

            - I use a proper keystore file (Java Kestore File in .jkf-Format). Using RSA-Cryptographie the SSL works fine (I have test ist before).

             

             

            In my case i have a special embedded device with low hardware resources. This device supports only Eliptic Curve Cryptograpie. and Only this two cipher suits:

             

            TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

             

            I have checked the installed cipher suits in java using this instruction: List ciphers used by JVM - Atlassian Documentation

            (All suites marked with the character * are available). The suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is available, this one would be sufficient in my scenario.

             

            Here the list of available suits in JVM:

             

             

                SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
            *   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
                SSL_DHE_DSS_WITH_DES_CBC_SHA
                SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
            *   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
                SSL_DHE_RSA_WITH_DES_CBC_SHA
                SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
                SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
                SSL_DH_anon_WITH_DES_CBC_SHA
                SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
            *   SSL_RSA_WITH_3DES_EDE_CBC_SHA
                SSL_RSA_WITH_DES_CBC_SHA
                SSL_RSA_WITH_NULL_MD5
                SSL_RSA_WITH_NULL_SHA
            *   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
            *   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
            *   TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
            *   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
            *   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
            *   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
                TLS_DH_anon_WITH_AES_128_CBC_SHA
                TLS_DH_anon_WITH_AES_128_CBC_SHA256
                TLS_DH_anon_WITH_AES_128_GCM_SHA256
            *   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
            *   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
            *   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
            *   TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
                TLS_ECDHE_ECDSA_WITH_NULL_SHA
            *   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
            *   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
            *   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
            *   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                TLS_ECDHE_RSA_WITH_NULL_SHA
            *   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
            *   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
            *   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
            *   TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
                TLS_ECDH_ECDSA_WITH_NULL_SHA
            *   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
            *   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
            *   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
            *   TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
                TLS_ECDH_RSA_WITH_NULL_SHA
                TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
                TLS_ECDH_anon_WITH_AES_128_CBC_SHA
                TLS_ECDH_anon_WITH_NULL_SHA
            *   TLS_EMPTY_RENEGOTIATION_INFO_SCSV
                TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
                TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
                TLS_KRB5_WITH_3DES_EDE_CBC_MD5
                TLS_KRB5_WITH_3DES_EDE_CBC_SHA
                TLS_KRB5_WITH_DES_CBC_MD5
                TLS_KRB5_WITH_DES_CBC_SHA
            *   TLS_RSA_WITH_AES_128_CBC_SHA
            *   TLS_RSA_WITH_AES_128_CBC_SHA256
            *   TLS_RSA_WITH_AES_128_GCM_SHA256
                TLS_RSA_WITH_NULL_SHA256

             

             

             

            In Wildfly the called suite is still not available.

             

            Do you habe any idea why?

            • 3. Re: Wildfly 10: enable cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
              Martin Choma Expert

              1. "Using RSA-Cryptographie the SSL works fine (I have test ist before)"

              Does that mean you already managed to run with https for TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 with your current RSA private key? 

              2. "Ignoring unavailable cipher suite:" is in fact java message

              Which else are ignored? Could you probably attach  log with  -Djavax.net.debug=all turn on?

              3. Could you post configuration of ApplicationRealm?

              4. You can also use  /subsystem=logging/logger=org.wildfly.security:add(level=ALL) to add some more logging on cipher suite selection.