I have a requirement to disable below weak TLS ciphers (128 bits)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
My application is running on JBOSS wildfly 10 server in Amazon EC2 instance fronted by an Application Load balancer. I have tried modifying the below change in standalone.xml. But it did not help me.
Even though I don't have any 128 bits ciphers mentioned in standalone.xml, ssllabs was showing me 128 weak ciphers as above. I am suspecting the cipher values are being taken from the security policy set at Application load balancer level. We have ELBSecurityPolicy-TLS-1-2-Ext-2018-06 security policy tied to our ALB (we should enable only TLS 1.2 protocol).
Since we cannot customize security policy at ALB level, is there any way I can achieve this?
Added below configuration in standalone.xml. This did not work.
<https-listener name="https" socket-binding="https" no-request-timeout="300000" security-realm="CertificateRealm" enabled-protocols="TLSv1.2" enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"/>
