How to enable TLS 1.3 and 1.2 at the same time in WildFly 38

[Giuseppe Sacco]

Hi all,

I am new to WildFly and this is my first attempt to use it, so I still never use the command line in order to change the standalone configuration: I always change the XML file directly.

I managed to add the configuration for listening on a TLSv1.3 enabled port, and I would like to also support TLSv1.2 on the same ssl-context.

This is the context I currently have:

<server-ssl-context

    name="applicationSSC"

    cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

     protocols="TLSv1.3"

     key-manager="applicationKM"/>

I tried to change the protocols to "[TLSv1.3,TLSv1.2]" but the syntax wasn't accepted. Moreover, I seem to understand that the cipher-suite is different for v1.3 than for 1.2.

So, where do I find the documentation on changing this configuration? Should I use different ssl-context on the same https-listener or on a different https-listener using the same socket-binding?

Thank you very much,

Giuseppe

[luca stancapiano]

Hi Giuseppe,

To enable both TLS 1.2 and TLS 1.3 on the same ssl-context in WildFly, you should specify the protocols attribute like this, using a comma-separated list (not square brackets):

<server-ssl-context
    name="applicationSSC"
    cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

    protocols="TLSv1.3,TLSv1.2"
    key-manager="applicationKM"/>

However, note that the cipher suites for TLS 1.2 are different from those for 1.3, so you can't use only TLS 1.3 ciphers for both. You either need to:

• Define an ssl-context that only uses cipher suites compatible with both protocols (which is very limited),

• Or, the recommended approach is to create two separate ssl-contexts for TLSv1.2 and TLSv1.3, each with the appropriate cipher suites, and then associate those with different https-listeners (they can use the same socket-binding).

The official WildFly Elytron documentation provides further details for the server-ssl-context attributes and correct protocol/cipher settings.

Let me know if you need the exact documentation link or more details!

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/0f1eee57-41f9-4457-9d81-73f1bd68ea12n%40googlegroups.com.

[Diana Krepinska]

Hello all,

You can specify both protocols for the ssl-context: protocols="TLSv1.3,TLSv1.2" . 

Note that the  cipher-suite-names attribute has this description: The filter to apply to specify the enabled cipher suites for TLSv1.3. So it filters only TLSv1.3 ciphers. The ciphers of TLSv1.2 are intact in this case. 

To filter ciphers of TlSv1.2 and below, you should use cipher-suite-filter attribute instead.

[Giuseppe Sacco]

Hello,

I did try but I get an error because the two listeners share the socket binding. The error message is:

2025-11-12 18:48:28,554 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-9) MSC000001: Failed to start service org.wildfly.undertow.listener."tlsv1.3": org.jboss.msc.service.StartException in service org.wildfly.undertow.listener."tlsv1.3": Address already in use /0.0.0.0:8090

In my configuration I setup the listeners this way:

<server name="default-server">

    <https-listener name="tlsv1.3"

        socket-binding="https" ssl-context="applicationSSC-TLSv1.3" enable-http2="true"/>

    <https-listener name="tlsv1.2"

        socket-binding="https" ssl-context="applicationSSC-TLSv1.2" enable-http2="true"/>

[...]

So, using different ssl-context but sharing the socket-binding.

As a different configuration change, merging the the ssl-contexts as suggested, using a list of protocols, does not work:

OPVDX001: Validation error in standalone.xml -----------------------------------

|

|  369:     cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

|  370:     protocols="TLSv1.3,TLSv1.2"

|  371:     key-manager="applicationKM"/>

|                                        ^^^^ Invalid value TLSv1.3,TLSv1.2 for protocols; legal values are

|                                               [\"SSLv2\", \"SSLv2Hello\", \"SSLv3\", \"TLSv1\", \"TLSv1.1\",

|                                               \"TLSv1.2\", \"TLSv1.3\"]

|

|  372:

|  373:                 </server-ssl-contexts>

|  374:             </tls>

Thank you,

Giuseppe

[Jose Socola]

Hi, You need just one http listener with two protocols and protocols separate with space not with comma.

<subsystem xmlns="urn:jboss:domain:elytron:...">
    ...          
          <tls>
                <key-stores>
                    <key-store name="ssl-realm">
                        <credential-reference clear-text="mypassword"/>
                        <implementation type="JKS"/>
                        <file path="ssl/myfile.jks" relative-to="jboss.server.config.dir"/>
                    </key-store>
                </key-stores>
                <key-managers>
                    <key-manager name="ssl-realm-manager" key-store="ssl-realm">
                        <credential-reference clear-text="mypassword"/>
                    </key-manager>
                </key-managers>
                <server-ssl-contexts>
                    <server-ssl-context name="ssl-realm-context" cipher-suite-names="LS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" protocols="TLSv1.3 TLSv1.2" key-manager="ssl-realm-manager"/>
                </server-ssl-contexts>
            </tls>

 <subsystem xmlns="urn:jboss:domain:undertow:...>

            <server name="default-server">
                <http-listener name="default" socket-binding="http" record-request-start-time="true" no-request-timeout="60000" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" ssl-context="ssl-realm-context" enable-http2="true"/>

Regards,

JS

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/wildfly/2cbfea92d042f4347ed11ef7b9a8a209d3eda7ad.camel%40gmail.com.

[Giuseppe Sacco]

Thank you, Jose, the protocols list with spaces is accepted.

[Jeff Meyers]

I am having problems with the same thing. The proposed solution:

• Or, the recommended approach is to create two separate ssl-contexts for TLSv1.2 and TLSv1.3, each with the appropriate cipher suites, and then associate those with different https-listeners (they can use the same socket-binding).

When I do this I get the same error: Address already in use: bind /127.0.0.1:8443

What is the trick to get TLSv1.2 and TLSv1.3 both working at the same time with a different set of cipher suites for each? I first tried specifying just one protocol for each context, but had the same error.

My SSL Contexts:

```xml

<server-ssl-contexts>
  <server-ssl-context name="tls12-SSC" cipher-suite-filter="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" protocols="TLSv1.2 TLSv1.3" key-manager="applicationKM"/>
  <server-ssl-context name="tls13-SSC" cipher-suite-names="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" protocols="TLSv1.2 TLSv1.3" key-manager="applicationKM"/>
</server-ssl-contexts>

```

My Listeners:

```xml

<https-listener name="https-12" socket-binding="https" ssl-context="tls12-SSC" enable-http2="true"/>
<https-listener name="https-13" socket-binding="https" ssl-context="tls13-SSC" enable-http2="true"/>

```