How do i get more Cipher suites available in WildFly 8

Question

due to the Logjam attack i had to revisit my available cipher suites. I use WildFly 8.2 and Java 7 u67. I use sslscan to test available cipher suites. Initially i had this available:

Then i installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 and got two more available:

Then i had to remove the RC4's and DHE (due to Logjam) and im left with two:

I think that two are a bit low. Then i saw on a Mozilla website and on the OpenSSL website that there are a lot of cipher suites available.

How can i get more cipher suites available in my enviroment (WildFly 8.2 + Java7) and how many cipher suites at least should my server provide?

Answer 1

Markus Eisele did a good write up of configuring SSL with WFLY here: http://blog.eisele.net/2015/01/ssl-with-wildfly-8-and-undertow.html

The additional cipher-suites can be configured on the http-listener as such:

<https-listener name="https" socket-binding="https" security-realm="SSLRealm"
                    enabled-protocols="TLSv1.2"
                    enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,..."/>

The recommended list of cipher suites can be taken from here: https://weakdh.org/sysadmin.html

The default names of the ciphers and the syntax in Java/WFLY are different, there is an issue in the WFLY JIRA relating to this, but AFAICT it is still unresolved: https://issues.jboss.org/browse/WFLY-3330

The default list for Java 8 is here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html

See also: What is the correct JBoss EAP 6.0.1 cipher-suite configuration for mitigation of Logjam / weakdh.org?