-
1. Re: JBoss eap 6.4 how to enable sslv2/3
pjhavariotis Jan 13, 2016 6:28 AM (in response to tihomir91)Due to the POODLE vulnerability, Red Hat recommends SSLv3 to be disabled. For more info on this, please check the following:
POODLE: SSLv3 vulnerability (CVE-2014-3566) - Red Hat Customer Portal
In JBoss EAP 6.4, SSLv3 is disabled by default for the web subsystem.
However you can enable it explicitly by adding "SSLv3" to the protocol list in the ssl connectors defined in the web subsystem.
-
2. Re: JBoss eap 6.4 how to enable sslv2/3
tihomir91 Jan 13, 2016 7:02 AM (in response to pjhavariotis)Dear Panagiotis,
Thank you for your reply! Yes you are correct but according to java 6 specification SSLv2Hello protocol should be supported by servers which support java 6. Anyway I tried to add "SSLv3" to protocol list but the server is unable to start. Can you please help me how to follow your suggestion? This is part of my standalone-full.xml where my connectors and acceptors are defined:
<subsystem xmlns="urn:jboss:domain:messaging:1.4">
<hornetq-server>
<persistence-enabled>true</persistence-enabled>
<security-enabled>false</security-enabled>
<cluster-user>JBossUser</cluster-user>
<cluster-password>imsadm12</cluster-password>
<journal-type>NIO</journal-type>
<journal-min-files>2</journal-min-files><connectors>
<netty-connector name="netty" socket-binding="messaging">
<param key="ssl-enabled" value="true"/>
<param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
<param key="key-store-password" value="imsadm12"/>
</netty-connector>
<netty-connector name="netty-throughput" socket-binding="messaging-throughput">
<param key="batch-delay" value="50"/>
<param key="ssl-enabled" value="true"/>
<param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
<param key="key-store-password" value="imsadm12"/>
</netty-connector>
<in-vm-connector name="in-vm" server-id="0"/>
</connectors><acceptors>
<netty-acceptor name="netty" socket-binding="messaging">
<param key="ssl-enabled" value="true"/>
<param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
<param key="key-store-password" value="imsadm12"/>
</netty-acceptor>
<netty-acceptor name="netty-throughput" socket-binding="messaging-throughput">
<param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
<param key="key-store-password" value="imsadm12"/>
<param key="batch-delay" value="50"/>
<param key="ssl-enabled" value="true"/>
<param key="direct-deliver" value="false"/>
</netty-acceptor>
<in-vm-acceptor name="in-vm" server-id="0"/>
</acceptors><security-settings>
<security-setting match="#">
<permission type="send" roles="guest"/>
<permission type="consume" roles="guest"/>
<permission type="createNonDurableQueue" roles="guest"/>
<permission type="deleteNonDurableQueue" roles="guest"/>
</security-setting>
</security-settings><address-settings>
<address-setting match="#">
<dead-letter-address>jms.queue.DLQ</dead-letter-address>
<expiry-address>jms.queue.ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<max-size-bytes>10485760</max-size-bytes>
<page-size-bytes>2097152</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
</address-setting>
</address-settings><jms-connection-factories>
<connection-factory name="InVmConnectionFactory">
<connectors>
<connector-ref connector-name="in-vm"/>
</connectors>
<entries>
<entry name="java:/ConnectionFactory"/>
</entries>
</connection-factory>
<connection-factory name="RemoteConnectionFactory">
<connectors>
<connector-ref connector-name="netty"/>
</connectors>
<entries>
<entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>
</entries>
</connection-factory>
<pooled-connection-factory name="hornetq-ra">
<transaction mode="xa"/>
<connectors>
<connector-ref connector-name="in-vm"/>
</connectors>
<entries>
<entry name="java:/JmsXA"/>
</entries>
</pooled-connection-factory>
</jms-connection-factories><jms-destinations>
<jms-queue name="ExpiryQueue">
<entry name="java:/jms/queue/ExpiryQueue"/>
</jms-queue>
<jms-queue name="DLQ">
<entry name="java:/jms/queue/DLQ"/>
</jms-queue>
<jms-queue name="TestQueue">
<entry name="java:jboss/exported/TestQueue"/>
<durable>true</durable>
</jms-queue>
</jms-destinations>
</hornetq-server>
</subsystem>Where should I import SSLv3 protocol to be accepted by the server?
Thank you for your time!
Tihomir
-
3. Re: JBoss eap 6.4 how to enable sslv2/3
pjhavariotis Jan 13, 2016 7:47 AM (in response to tihomir91)My initial reply was about WEB subsystem.
Regarding HornetQ communications (Netty), as far as I know, from EAP 6 update 3, SSLv3 will not be allowed.
In the following link (section 18.2.3) you can see how you can configure Netty SSL.