2 Replies Latest reply on Aug 24, 2015 8:18 PM by yinghanliu

    Wildfly 9.0.1 still have cve-2009-3555  Renegotiation vulnerability problem??

    yinghanliu
    yinghanliu Aug 24, 2015 4:23 AM

      Hi all

       

      My native language is not English, so please forgive me...

       

      I publish my web on wildfly 9.0.1, and use  Acunetix web application security to test security.

      Acunetix detect my web have Renegotiation vulnerability(cve-2009-3555)

      I search some web site, and add below option on standalone.conf, but it still not work. (stell have vulnerability )

       

      set "JAVA_OPTS=%JAVA_OPTS% -Dsun.security.ssl.allowUnsafeRenegotiation=false"

      set "JAVA_OPTS=%JAVA_OPTS% -Dsun.security.ssl.allowLegacyHelloMessages=false"

       

      how could i do now??

       

      standalone.xml SSL setting

       

                  <security-realm name="UndertowRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="web.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="web" key-password="password"/>

                          </ssl>

                      </server-identities>

                  </security-realm>

       

                  <server name="default-server">

                      <http-listener name="default" socket-binding="http"/>

                      <https-listener name="https-default" socket-binding="https" security-realm="UndertowRealm" enabled-cipher-suites="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" enabled-protocols="TLSv1, TLSv1.1, TLSv1.2"/>

                      <host name="default-host" alias="localhost">

                          <location name="/" handler="welcome-content"/>

                          <filter-ref name="server-header"/>

                          <filter-ref name="x-powered-by-header"/>

                      </host>

                  </server>