1 Reply Latest reply on Oct 16, 2013 9:29 AM by m.roodsaz

Jboss Connector tlsv1.1 support ONLY

zemt3x Jun 17, 2013 5:40 AM

Hi,

i'm triing to create a java SSL connector to forward only TLSv1.1 connections to my application.

This is my connector:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"

port="49154" minSpareThreads="5" maxSpareThreads="75"

enableLookups="true" disableUploadTimeout="true"

acceptCount="100" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="/.../sslKeyStore.jks"

keystorePass="..."

clientAuth="true"

sslProtocol="TLSv1.1"

ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA"/>

But this connector also accepts TLSv1, TLSv1.2 and SSL3.

Only SSL2 is unsurported.

If I don't define the sslProtocol="..." in my connector I get the same appearance, what is very strange for me.

I'm using JDK7 and - i think - this is why it supports all TLS versions

see:http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html

"The SunJSSE provider now supports TLS 1.1 as described in RFC 4346. The most important update is protection against cipher block chaining (CBC) attacks."

What I want to reach is to accept only handshakes using the TLSv1.1 protocol, for other handshakes the connector should say something like this

"Unsupported SSL v2.0 ClientHello"

what my connector does for the SSL2 protocol.

Is it possible?`

The Connector runs on JBoss AS 4.2.3 and for the SSL-handshake I'm using openssl.

Regards

zemt3x

1. Re: Jboss Connector tlsv1.1 support ONLY

m.roodsaz Oct 16, 2013 9:29 AM (in response to zemt3x)

Hi,

I have the same issue with jboss 6A & java 7. I set the sslProtocol = "TLS1.1" in sever.xml but when i send a WS via jboss TLS1 is used.

Regards,
Mehran.
Actions