Hi,

I have configured the SSL connector in: deploy\jbossweb-tomcat55.sar\server.xml and have web services over https working. Now I'm trying to limit the ciphers that can be used on the HTTPS requests and responses. According to Tomcat documentation here:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I should be able to use the ciphers attribute in the SSL connector configuration. I believe the values that I can use for the ciphers attribute are those in the last (5th) table of Appendix A of this document:

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA

so the SSL connector would look like this:

 <!-- SSL/TLS Connector on port 8443 -->
 <Connector port="8443" address="${jboss.bind.address}"
 maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
 emptySessionPath="true"
 scheme="https" secure="true" clientAuth="true"
 sslProtocol="TLS"
 ciphers="TLS_DHE_DSS_WITH_AES_256_CBC_SHA,SSL_DHE_DSS_WITH_RC4_128_SHA"
 keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
 keystorePass="password"
 truststoreFile="${jboss.server.home.dir}/conf/server.keystore"
 truststorePass="password" />

I've found, however, that I can write trash in the ciphers attribute and the SSL call still succeeds. I can write:

ciphers="Hi Mom!"

and I get no errors either in the JBoss AS startup or in the HTTPS calls. It seems like the ciphers attribute is being ignored.

Does anybody know how to limit the ciphers used by HTTPS in JBoss AS 4.0.2 ? (Upgrading to another version of JBoss is currently not an option, as our project is nearing the release date, but I could apply a patch if there is one.)

Thank you very much,

Ernesto