2 Replies Latest reply on Jul 16, 2015 2:52 AM by sikorson

    JBoss EAP 6.0.1 cipher-suite configuration not working as expected (at all?)

    turchinc

      Because of the attention that logjam and Logjam: How Diffie-Hellman Fails in Practice has received in recent days, I decided to harden the SSL configuration on my JBoss EAP 6.0.1 system as described here:13.2.5. SSL Connector Reference

      cross referenced to here: http://www.coderanch.com/t/613062/JBoss/configuring-SSL-Https-Jboss

       

      The relevant portion of my standalone.xml is included in obfuscated form below:

      <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
        <ssl
        key-alias="**********"
        password="**********"
        certificate-key-file="/var/**********/**********.jks"
        protocol="TLSv1.2"
        cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AE_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"
        />
      </connector>
      
      
      
      

       

      The protocol restriction is working but the cipher-suite attribute has, as far as I can tell, no effect. I have reduced the list down to just two suites but the list returned by JBoss on port 8443 is always the same. I have tested the system against Qualys SSL Labs and the list of cipher suites returned includes numerous weak of ciphers not included in my list.

      Cipher Suites (sorted by strength; the server has no preference)
      TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK128
      TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK128
      TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
      TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 768 bits (p: 96, g: 96, Ys: 96)   FS   INSECURE128
      TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   WEAK128
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 571 bits (eq. 15360 bits RSA)   FS128
      TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112
      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16)   DH 768 bits (p: 96, g: 96, Ys: 96)   FS   INSECURE112
      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)   ECDH 571 bits (eq. 15360 bits RSA)   FS112

       

      The TestSSLServer.jar from this website returns the problematic cipher suites in their list as well:

      java -jar TestSSLServer.jar **********.xx 443
      Supported versions: TLSv1.2
      Deflate compression: no
      Supported cipher suites (ORDER IS NOT SIGNIFICANT):
        TLSv1.2
           RSA_WITH_RC4_128_MD5
           RSA_WITH_RC4_128_SHA
           RSA_WITH_3DES_EDE_CBC_SHA
           DHE_RSA_WITH_3DES_EDE_CBC_SHA
           RSA_WITH_AES_128_CBC_SHA
           DHE_RSA_WITH_AES_128_CBC_SHA
           RSA_WITH_AES_128_CBC_SHA256
           DHE_RSA_WITH_AES_128_CBC_SHA256
           TLS_ECDHE_RSA_WITH_RC4_128_SHA
           TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      ----------------------
      Server certificate(s):
        9b6e185c8598aec67949e7b13183fc87637fe86b: CN=**********.xx, OU=PositiveSSL, OU=Domain Control Validated
      ----------------------
      Minimal encryption strength:     strong encryption (96-bit or more)
      Achievable encryption strength:  strong encryption (96-bit or more)
      BEAST status: protected
      CRIME status: protected
      

       

      How can I tell JBoss to stop using these insecure cipher suites?

        • 1. Re: JBoss EAP 6.0.1 cipher-suite configuration not working as expected (at all?)
          turchinc

          also tried adjusting via cli

          /subsystem=web/connector=https/ssl=configuration/:write-attribute(name=cipher-suite, value="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA")
          

          which then shows (as does the standalone.xml):

          [standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration/:read-resource(recursive=true,proxies=false,include-runtime=true,include-defaults=true)
          {
              "outcome" => "success",
              "result" => {
                  "ca-certificate-file" => undefined,
                  "ca-certificate-password" => undefined,
                  "ca-revocation-url" => undefined,
                  "certificate-file" => undefined,
                  "certificate-key-file" => "/var/xxxx/xxxx-xx/xxxx.jks",
                  "cipher-suite" => "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA",
                  "key-alias" => "xxxx",
                  "keystore-type" => undefined,
                  "name" => undefined,
                  "password" => "****",
                  "protocol" => "TLSv1.2",
                  "session-cache-size" => undefined,
                  "session-timeout" => undefined,
                  "truststore-type" => undefined,
                  "verify-client" => "false",
                  "verify-depth" => undefined
              },
              "response-headers" => {"process-state" => "reload-required"}
          }
          

          but nmap insists:

          nmap -p 8443 -A --script ssh-hostkey,ssh2-enum-algos,sshv1,ssl-cert,ssl-date,ssl-enum-ciphers,ssl-google-cert-catalog,ssl-heartbleed,ssl-known-key,sslv2 xxxx.de
          
          Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-31 09:41 W. Europe Daylight Time
          
          Nmap scan report for xxxx.de (x.x.x.x)
          Host is up (0.031s latency).
          
          PORT     STATE SERVICE  VERSION
          8443/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
          
          | ssl-cert: Subject: commonName=xxxx.de
          | Issuer: commonName=COMODO RSA Domain Validation Secure Server CA/organizationName=COMODO CA Limited/stateOrProvinceName=Greater Manchester/countryName=GB
          | Public Key type: rsa
          | Public Key bits: 2048
          | Not valid before: 2015-05-27T23:00:00+00:00
          | Not valid after:  2016-05-21T22:59:59+00:00
          | MD5:   7ac1 b1a9 4fd8 c438 0bce 0e82 bb2a 5e06
          |_SHA-1: 9b6e 185c 8598 aec6 7949 e7b1 3183 fc87 637f e86b
          | ssl-enum-ciphers: 
          |   TLSv1.0: No supported ciphers found
          |   TLSv1.2: 
          |     ciphers: 
          |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
          |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
          |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
          |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
          |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
          |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
          |       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
          |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
          |       TLS_RSA_WITH_AES_128_CBC_SHA - stron
          |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
          |       TLS_RSA_WITH_RC4_128_MD5 - strong
          |       TLS_RSA_WITH_RC4_128_SHA - strong
          |     compressors: 
          |       NULL
          |_  least strength: strong
          | ssl-google-cert-catalog: 
          |_  No DB entry
          
          Nmap done: 1 IP address (1 host up) scanned in 55.74 seconds
          
          • 2. Re: JBoss EAP 6.0.1 cipher-suite configuration not working as expected (at all?)
            sikorson

            Hello, Did You managed to solve the problem?