The use of SSLv3.0/TLSv1.0 in combination with certain encryption techniques (CBC block ciphers) may allow for an attacker to predict the so-called Initialization Vector of subsequent SSL packets. Using this information the attacker can access the secure session of another user. This attack, named BEAST (Browser Exploit Against SSL/TLS), is aimed at the user’s browser and not at the web server. Nevertheless, it is possible to take countermeasures at the server side as well to prevent a successful attack.

The complete solution to this problem is disabling or deprioritizing the support for vulnerable encryption ciphers (CBC block ciphers) when using SSLv3.0/TLSv1.0. Commonly, this can be achieved by prioritizing RC4 ciphers in the cipher negotiation process.

For Apache web servers that support SSLv3.0/TLSv1.0 this can be configured by adding the following configuration:

SSLProtocol All –SSlv2
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH

For Apache web servers that support SSLv3.1/TLSv1.1 and higher, it is recommended to use the following configuration:

SSLProtocol All –SSlv2
SSLHonorCipherOrder On  
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM

As far as I know, JBoss 7 is based on a version of Apache that supports SSLv3.1/TLSv1.1 (maybe I am wrong), so the second alternative can be applied to JBoss 7.

My question is: Where/How should I configure it?