如何在 Wildfly swarm 中禁用 TLS 1.0
How to disable TLS 1.0 in Wildfly swarm
刚发现在 Wildfly Swarm 2018.5.0 中,我们无法禁用旧的 TLSv1.0 和 TLSv1.1 协议。
我们以前在 2017.x;
中是这样做的
-Dswarm.undertow.servers.default-server.https-listeners.https.enabled-protocols="TLSv1.2"
然而,现在,这给了我一个奇怪的信息,没有太多解释。
INFO [org.wildfly.security] (ServerService Thread Pool -- 4) ELY00001: WildFly Elytron version 1.1.6.Final
ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 8) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("https-listener" => "https")
]) - failure description: "WFLYCTL0155: 'socket-binding' may not be null"
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) "WFLYCTL0193: Failed executing subsystem undertow boot operations"
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("parallel-subsystem-boot") failed - address: ([]) - failure description: "\"WFLYCTL0193: Failed executing subsystem undertow boot operations\""
FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
如有任何帮助,我们将不胜感激!
我不确定这在哪个 2017.x 版本中适用于您,因为这个 "issue" 是由这一行引起的:https://github.com/thorntail/thorntail/blob/2.5.0.Final/fractions/javaee/undertow/src/main/java/org/wildfly/swarm/undertow/runtime/HTTPSCustomizer.java#L78 并且已经存在了很长时间而
基本上,如果您不配置任何 HTTPS 侦听器,系统会自动创建默认侦听器(称为 default-https)。但是您确实配置了一个(称为 https),因此不会发生默认配置。您至少需要提供如上所示 HTTPSCustomizer 中配置的两个属性。即:
-Dswarm.undertow.servers.default-server.https-listeners.https.security-realm=SSLRealm
-Dswarm.undertow.servers.default-server.https-listeners.https.socket-binding=https
-Dswarm.undertow.servers.default-server.https-listeners.https.enabled-protocols="TLSv1.2"
刚发现在 Wildfly Swarm 2018.5.0 中,我们无法禁用旧的 TLSv1.0 和 TLSv1.1 协议。
我们以前在 2017.x;
中是这样做的-Dswarm.undertow.servers.default-server.https-listeners.https.enabled-protocols="TLSv1.2"
然而,现在,这给了我一个奇怪的信息,没有太多解释。
INFO [org.wildfly.security] (ServerService Thread Pool -- 4) ELY00001: WildFly Elytron version 1.1.6.Final
ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 8) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "undertow"),
("server" => "default-server"),
("https-listener" => "https")
]) - failure description: "WFLYCTL0155: 'socket-binding' may not be null"
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) "WFLYCTL0193: Failed executing subsystem undertow boot operations"
ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("parallel-subsystem-boot") failed - address: ([]) - failure description: "\"WFLYCTL0193: Failed executing subsystem undertow boot operations\""
FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
如有任何帮助,我们将不胜感激!
我不确定这在哪个 2017.x 版本中适用于您,因为这个 "issue" 是由这一行引起的:https://github.com/thorntail/thorntail/blob/2.5.0.Final/fractions/javaee/undertow/src/main/java/org/wildfly/swarm/undertow/runtime/HTTPSCustomizer.java#L78 并且已经存在了很长时间而
基本上,如果您不配置任何 HTTPS 侦听器,系统会自动创建默认侦听器(称为 default-https)。但是您确实配置了一个(称为 https),因此不会发生默认配置。您至少需要提供如上所示 HTTPSCustomizer 中配置的两个属性。即:
-Dswarm.undertow.servers.default-server.https-listeners.https.security-realm=SSLRealm
-Dswarm.undertow.servers.default-server.https-listeners.https.socket-binding=https
-Dswarm.undertow.servers.default-server.https-listeners.https.enabled-protocols="TLSv1.2"