Upcoming SSL features: Multiple certificate revocation lists support and SSLv2Hello support
Two of the new features regarding SSL that we have been working on include adding support for configuring multiple
certificate revocation lists and
SSLv2Hello support. These features did not make it into WildFly 23
but we have plans for them to be included in WildFly 24.
Certificate Revocation Lists (CRLs) contain a list of certificates that have been revoked by the issuing Certificate Authority before their expected expiration date, and therefore should no longer be trusted. Elytron currently supports configuring only one Certificate Revocation List.
From WildFly 24, it will be possible to configure multiple CRL files, which is useful when several certificate authorities are used.
Support for multiple CRLs will be available for both the server and client. Currently, in the Elytron Subsystem, we can
configure a single CRL in the
trust-manager element using the
From WildFly 24, we will be able to configure a list of certificate revocation lists using the new
Older JDK versions use
SSLv2Hello during the initial handshake message
SSL version that will be used for the rest of the handshake is negotiated.
The use of this protocol is discouraged. As a result, newer JDK versions disable this protocol by default for clients, but do provide the ability to re-enable it if needed.
SSLv2Hello as a supported protocol in WildFly, we are ensuring older
clients are still able to communicate to servers guaranteeing parity with legacy security.
SSLv2Hello will be enabled by configuring it in the
protocols attribute in the
SSL context definition in the Elytron subsystem: the
client-ssl-context for the
server and client respectively. The attribute
protocols contains the list of protocols supported by WildFly.
From WildFly 24, this attribute will also allow
SSLv2Hello to be specified.