-
1. Re: How to Disable TLS Renegotiation on JBoss 7.1
jfclere Aug 21, 2013 4:52 AM (in response to dario.ajr)The renegotiation is disabled it can't be configured.
-
2. Re: How to Disable TLS Renegotiation on JBoss 7.1
dario.ajr Sep 16, 2013 9:32 AM (in response to jfclere)On my server is enabled, the security personnel could easily renegotiate, beyond software https://www.ssllabs.com/ssltest/analyze.html?d=xxxxxxx.com
Secure Renegotiation Supported Secure Client-Initiated Renegotiation Supported DoS DANGER (more info) Insecure Client-Initated Renegotiation No BEAST attack Vulnerable INSECURE (more info) Compression No RC4 Yes NOT DESIRABLE (more info) Forward Secrecy (Experimental) No NOT DESIRABLE (more info) Next Protocol Negotiation No Session resumption Yes Session tickets No OCSP stapling No Strict Transport Security No Long handshake intolerance No TLS extension intolerance No TLS version intolerance TLS 2.98 SSLv2 handshake compatibility Yes -
3. Re: How to Disable TLS Renegotiation on JBoss 7.1
dario.ajr Aug 21, 2013 2:43 PM (in response to dario.ajr)I managed to improve the security indicator, limiting the cipher-suite and limiting protocols ssl:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="********" certificate-key-file="*********" cipher-suite="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5" protocol="TLSv1.1,TLSv1,SSLv3,TLSv1.2" verify-client="false"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
This corrected the
BEAST attack Not vulnerable (more info) But the problem below continue
Secure Client-Initiated Renegotiation Supported DoS DANGER (more info) -
4. Re: How to Disable TLS Renegotiation on JBoss 7.1
jfclere Aug 22, 2013 3:42 AM (in response to dario.ajr)1 of 1 people found this helpfulAccording to the code CVE-2009-3555 has been fixed in 2009 you should check with people doing the ssltest what they are doing to find on this test.
-
5. Re: How to Disable TLS Renegotiation on JBoss 7.1
dario.ajr Sep 16, 2013 9:30 AM (in response to jfclere)How to Disable Secure Client-Initiated Renegotiation?
This option can be used to DoS attack.
I used the following parameters in standalone.conf
# Security ISSUES
JAVA_OPTS="$JAVA_OPTS -Dsun.security.ssl.allowUnsafeRenegotiation=false
-Dsun.security.ssl.allowLegacyHelloMessages=false
-Dsun.security.ssl.allowUnsafeLegacyRenegotiation=false
-Dorg.apache.coyote.http11.Http11Protocol.MAX_KEEP_ALIVE_REQUEST=1"
But the server continues accept Renegotiation.
My Question is about CVE-2011-1473
-
6. Re: How to Disable TLS Renegotiation on JBoss 7.1
jfclere Sep 17, 2013 7:15 AM (in response to dario.ajr)CVE-2011-1473 is openssl and you use native="false" so I don't know what you are looking for :-(
All system variables you have been using prevent unsafe renegotiation (CVE-2009-3555) and that they are not related to CVE-2011-1473
-
7. Re: How to Disable TLS Renegotiation on JBoss 7.1
shruti-p Apr 16, 2014 1:31 PM (in response to jfclere)Hello all,
I am facing the same issue when I run a web vulnerability scan. It alerts for an SSL/TLS renegotiation attack , there is no way to disable this feature under the standalone.xml configuration file of JBOSS 7. Is there any other way I can disable the renegotiation capability of the server?
-
8. Re: How to Disable TLS Renegotiation on JBoss 7.1
ctomc Apr 16, 2014 4:53 PM (in response to shruti-p)this is part of JDK itself, just add system property configuration to your standalone.xml
read more about properties:
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme-141115.html
-
9. Re: How to Disable TLS Renegotiation on JBoss 7.1
shruti-p Apr 22, 2014 9:29 AM (in response to ctomc)Hi Tomaz,
Thank you for the solution. I added a system property in my configuration as you suggested but the scan still gives me an alert that the system is vulnerable to SSl/TLS renegotiation. I also found out that the version of OpenSSL that I used to generate my keystore is 0.98e. Do you think the version of OpenSSL might be one cause of the vulnerability?
-
10. Re: How to Disable TLS Renegotiation on JBoss 7.1
jfclere Apr 28, 2014 11:06 AM (in response to shruti-p)are you using native="false"?