sslwildflywildfly-swarm

How to disable TLS 1.0 in Wildfly swarm


Just found out that in Wildfly Swarm 2018.5.0, we can't manage to disable the older TLSv1.0 and TLSv1.1 protocols.

We used to do it like below in 2017.x;

-Dswarm.undertow.servers.default-server.https-listeners.https.enabled-protocols="TLSv1.2"

However, now, this gives me an weird message without much explanation.

INFO  [org.wildfly.security] (ServerService Thread Pool -- 4) ELY00001: WildFly Elytron version 1.1.6.Final
ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 8) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("https-listener" => "https")
]) - failure description: "WFLYCTL0155: 'socket-binding' may not be null"
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) "WFLYCTL0193: Failed executing subsystem undertow boot operations"
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("parallel-subsystem-boot") failed - address: ([]) - failure description: "\"WFLYCTL0193: Failed executing subsystem undertow boot operations\""
FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.

Any help would be much appreciated!


Solution

  • I'm not sure in which 2017.x version this used to work for you, because this "issue" is caused by this line: https://github.com/thorntail/thorntail/blob/2.5.0.Final/fractions/javaee/undertow/src/main/java/org/wildfly/swarm/undertow/runtime/HTTPSCustomizer.java#L78 And that's been there for quite a while.

    Basically, if you don't configure any HTTPS listener, default one (called default-https) will be created automatically. But you do configure one (called https), so default configuration doesn't happen. You need to provide at least the two properties configured in the HTTPSCustomizer as shown above. That is:

    -Dswarm.undertow.servers.default-server.https-listeners.https.security-realm=SSLRealm
    -Dswarm.undertow.servers.default-server.https-listeners.https.socket-binding=https
    -Dswarm.undertow.servers.default-server.https-listeners.https.enabled-protocols="TLSv1.2"