Configure JBoss 4.2.3.GA to remove weak & medium ciphers

robbanfield Sep 13, 2010 9:02 PM

Hi,

I hoping someone could help related to configuring JBoss 4.2.3.GA to disable weak & medium ciphers.

We've scanned JBoss with Nessus and it identified weak & medium ciphers on port 8443.

I was able to remove those scan results by limiting the ciphers. I added the following to the connector in server.xml

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Re-running the scan, 8443 is now good, unfortunately it's now detecting the weak ciphers on port 8091.

From best I can tell, I should be updating the uil2-service.xml. That's based on reading a few posts on the boards here such as http://community.jboss.org/thread/42986?tstart=0, as well as a few items that mention adding cipherAlgorithm as an attribute, or others that mention limiting the available suites by adding https.cipherSuites as a JVM option in run.conf.

None of these thus far have been able to help.

Can someone please help point me at the correct configuration option(s).

Thanks in advance,

-Rob

1. Configure JBoss 4.2.3.GA to remove weak & medium ciphers

robbanfield Feb 5, 2011 12:36 AM (in response to robbanfield)

The way we decided to move forward was with a proxy to handle the requests
Actions