3 Replies Latest reply on Apr 27, 2010 10:03 PM by ron_sigal

Disable Weak Ciphers for PCI-DSS

sunilbabu Sep 11, 2009 10:55 AM

We have to disable the weak ciphers in Jboss-4.2.3.GA (ejb3 application) for pci compliance. Can someone help me with the configuration or point me to a document that explain how to disable ciphers.

Following is current connector

<mbean code="org.jboss.remoting.transport.Connector"
 name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
 <depends>jboss.aop:service=AspectDeployer</depends>
 <attribute name="Configuration">

 <config>

 <invoker transport="sslsocket">
 <attribute name="serverSocketFactory">
 jboss.remoting:service=ServerSocketFactory,type=SSL
 </attribute>
 <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
 <attribute name="serverBindPort">3843</attribute>
 <attribute name="timeout">120000</attribute>
 </invoker>

 <handlers>
 <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
 </handlers>

 </config>
 </attribute>
 </mbean>

I also tried with org.jboss.security.ssl.DomainServerSocketFactory and CipherSuites but it did not disable any ciphers.

<mbean code="org.jboss.remoting.transport.Connector"
 name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
 <depends>jboss.aop:service=AspectDeployer</depends>
 <attribute name="Configuration">

 <config>

 <invoker transport="sslsocket">
 <attribute name="serverSocketFactoryBean"
 attributeClass="org.jboss.security.ssl.DomainServerSocketFactory"
 serialDataType="javaBean">
 <property name="CipherSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
 </attribute>

 <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
 <attribute name="serverBindPort">3843</attribute>
 <attribute name="timeout">120000</attribute>
 </invoker>

 <handlers>
 <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
 </handlers>

 </config>
 </attribute>
 <!--property name="ciphers">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property-->
 </mbean>

1. Re: Disable Weak Ciphers for PCI-DSS

ron_sigal Sep 13, 2009 8:25 PM (in response to sunilbabu)

Here are a couple of places to look:

* "JavaTM Secure Socket Extension (JSSE) Reference Guide" at http://www.j2ee.me/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

* javax.net.ssl.SSLServerSocket javadoc at http://www.j2ee.me/j2se/1.4.2/docs/api/javax/net/ssl/SSLServerSocket.html

Hope that helps.
Actions

2. Re: Disable Weak Ciphers for PCI-DSS

sunilbabu Apr 14, 2010 11:50 PM (in response to sunilbabu)

I spent lot of time trying to figure this out and hope this help someone.

-Jboss-4.2.3.GA uses Remoting 2.2.2.SP8 and there is no configuration option or property to disable weak ciphers in this version.

-This feature is added in Remoting 2.4.0.Beta2 https://jira.jboss.org/jira/browse/JBREM-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel.

So My Options are

1. Update the Remoting.jar to to 2.4.x version but I did not find any document to do this( I was also worried about it's impact on my swing clients and webservice).

2. Hack the Remoting 2.2.2.SP8 code and disable the weak ciphers.

Required files: jboss-remoting.jar, jboss-common.jar, jboss-common.jar, SSLSocketServerInvoker.java

Modify 2.2.2-SP8/src/main/org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.java file and add strong ciphers

   protected ServerSocket createServerSocket(int serverBindPort, int backlog, InetAddress bindAddress) throws IOException
   {
      ServerSocket ss = getServerSocketFactory().createServerSocket(serverBindPort, backlog, bindAddress);
        if (ss instanceof SSLServerSocket) {
                SSLServerSocket sss = (SSLServerSocket) ss;
                String[] enabledCipherSuits = {"SSL_RSA_WITH_RC4_128_MD5","SSL_RSA_WITH_RC4_128_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA"};
                sss.setEnabledCipherSuites(enabledCipherSuits);
        }
 
      return ss;
   }

Compile the file

javac -cp jboss-remoting.jar:jboss-common.jar:log4j.jar SSLSocketServerInvoker.java

Update Jar with new file

jar uf jboss-remoting.jar org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.class

3. Update my server to Jboss-5x and use "enabledCipherSuites" property (I am working on this now ).

3. Re: Disable Weak Ciphers for PCI-DSS

ron_sigal Apr 27, 2010 10:03 PM (in response to sunilbabu)

Hi Sunil

1. Update the Remoting.jar to to 2.4.x version but I did not find any document to do this( I was also worried about it's impact on my swing clients and webservice).

Updating is just a matter of replacing jboss-remoting.jar. In the context of the Application Server (4.2.x), you want to replace it in $JBOSS_HOME/server/$CONFIG/lib and $JBOSS_HOME/client. Note, also, that client/jbossall-client.jar contains the Remoting files, so you would want to put jboss-remoting.jar in front of jbossall-client.jar on the classpath.

In principle, it should be possible to just drop in a new jboss-remoting.jar. I've heard of people using Remoting 2.4/2.5 with AS 4.2.x, and I'm not aware of any problems. No warranty, of course.

There's another alternative, though. You can configure Remoting to use a custom ServerSocketFactory, so you could write a ServerSocketFactory which sets the enabledCipherSuites property before returning the ServerSocket. See Section 5.7.3. "Server side configuration in the JBoss Application Server" in the Remoting Guide: http://docs.jboss.org/jbossremoting/2.2.3.SP2/html/

-Ron
Actions

Go to original post