WildFly Elytron

WildFly Elytron

Upcoming SSL features: Multiple certificate revocation lists support and SSLv2Hello support

Two of the new features regarding SSL that we have been working on include adding support for configuring multiple certificate revocation lists and SSLv2Hello support. These features did not make it into WildFly 23 but we have plans for them to be included in WildFly 24.

An Overview of Certificate Revocation Lists

Certificate Revocation Lists (CRLs) contain a list of certificates that have been revoked by the issuing Certificate Authority before their expected expiration date, and therefore should no longer be trusted. Elytron currently supports configuring only one Certificate Revocation List.

From WildFly 24, it will be possible to configure multiple CRL files, which is useful when several certificate authorities are used.

Certificate Revocation List Configuration

Support for multiple CRLs will be available for both the server and client. Currently, in the Elytron Subsystem, we can configure a single CRL in the trust-manager element using the certificate-revocation-list attribute. From WildFly 24, we will be able to configure a list of certificate revocation lists using the new certificate-revocation-lists attribute.

An Overview of the SSLv2Hello Protocol

Older JDK versions use SSLv2Hello during the initial handshake message where the SSL version that will be used for the rest of the handshake is negotiated.

The use of this protocol is discouraged. As a result, newer JDK versions disable this protocol by default for clients, but do provide the ability to re-enable it if needed.

By adding SSLv2Hello as a supported protocol in WildFly, we are ensuring older clients are still able to communicate to servers guaranteeing parity with legacy security.

SSLv2Hello Configuration

SSLv2Hello will be enabled by configuring it in the protocols attribute in the SSL context definition in the Elytron subsystem: the server-ssl-context and client-ssl-context for the server and client respectively. The attribute protocols contains the list of protocols supported by WildFly. From WildFly 24, this attribute will also allow SSLv2Hello to be specified.

Summary

This blog post has given an overview of the upcoming support for multiple certificate revocation lists and SSLv2Hello.

For more details on these features, keep an eye on WFCORE-5170 and WFCORE-5145 respectively.