Disable Weak TLS Cipher Suites

Question

I have a requirement to disable below weak TLS ciphers (128 bits)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK    128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK   128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK   128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK  128

My application is running on JBOSS wildfly 10 server in Amazon EC2 instance fronted by an Application Load balancer. I have tried modifying the below change in standalone.xml. But it did not help me.

Even though I don't have any 128 bits ciphers mentioned in standalone.xml, ssllabs was showing me 128 weak ciphers as above. I am suspecting the cipher values are being taken from the security policy set at Application load balancer level. We have ELBSecurityPolicy-TLS-1-2-Ext-2018-06 security policy tied to our ALB (we should enable only TLS 1.2 protocol).

Since we cannot customize security policy at ALB level, is there any way I can achieve this?

---

Added below configuration in standalone.xml. This did not work.

<https-listener name="https" socket-binding="https" no-request-timeout="300000" security-realm="CertificateRealm" enabled-protocols="TLSv1.2" enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"/>

Answer 1

Application Load Balancers in AWS do not yet allow for specifying custom SSL Security Policies.

You'll have to use a classic load balancer. Other questions have details relative to java implementations.