-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFCORE-180] / [WFCORE-182] Allow the supported protocols and cipher suites to be set. #251
Conversation
Looks good to me iff someone reviews the model stuff and the pull player comes back from its holiday and approves. |
Before merging I have a follow up change to add for the default values. |
…abled-protocols and enabled-cipher-suites for the SSL definition within the security realm.
…of the schema and update the parser to support enabled-protocols and enabled-cipher-suites.
…ify parsing and marshalling.
… the protocol and cipher suite values are set whenever it is used.
…1.2 for the enabled protocols if no others are specified.
Added a minor correction and also set default values for the protocols. These default values are not backwards compatible but in reality this means that the preferred protocols are automatically used by default which is the desired behaviour, users that really want SSLv3 can still go back and enable it themselves. Subject to testing and review this is ready to merge. |
.build(); | ||
|
||
public static final StringListAttributeDefinition ENABLED_PROTOCOLS = new StringListAttributeDefinition.Builder(ModelDescriptionConstants.ENABLED_PROTOCOLS) | ||
.setDefaultValue(new ModelNode().add(TLSV1).add(TLSV1_1).add(TLSV1_2)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only issue with this is that when TLS 1.3 comes out and the JVM starts to support it Wildfly will not be able to use it out of the box.
I can't help thinking that a blacklist of insecure protocols is more future proof that a white list of known good ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All of this is to be moved into Elytron anyway where I do want to fully support a notion of enabled and disabled for both protocols and cipher suites.
[WFCORE-180] / [WFCORE-182] Allow the supported protocols and cipher suites to be set.
This change allows the configuration of the cipher suites and protocols for the supplied SSLContext.
This supplied SSLContext is used both for the domain management HTTP server and for Remoting connections (both inbound and outbound).