3 Replies Latest reply on Apr 20, 2017 11:20 AM by andey

JBoss eap 5.0 disable SSL2/3

skylah Apr 19, 2017 4:19 AM

Hello

I am using JBoss eap 5.0 and using jdk 1.6

I can't upgrade of all now. Is it possible disable to SSL2 and 3 ?

already server.xml configuration setting done. but it doesn't work.

how can I do?

plz help

1. Re: JBoss eap 5.0 disable SSL2/3

andey Apr 19, 2017 5:26 AM (in response to skylah)

you can disabling SSL and using only TLSv1.1 or TLSv1.2

JBoss Web in EAP 4/5 and JBoss 4.x/5.x products

Note: the following mitigation instructions are only applicable if you are using the JSSE connectors for HTTPS configuration. Refer to the Tomcat APR section if you are using native connectors.

For EAP 4/5 and JBoss 4/5.x products based on EAP 4/5, SSLv2 and SSLv3 can be disabled by configuring the https connectors to have the sslProtocols attribute set to "TLSv1,TLSv1.1,TLSv1.2" in the configuration located within $JBOSS_HOME/jboss-as/server/$JBOSS_PROFILE/deploy
/jbossweb.sar/server.xml. For example:

~~~
      <Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
           keystorePass="rmi+ssl"
           sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
~~~

The sslProtocols attribute specifies the versions of the SSL protocol to use. If not specified, the default is "TLS". Note TLSv1.2 is only available when using JDK 7 and higher.

For more information see : JBoss Web Configuration Reference - The HTTP Connector
Actions
2. Re: JBoss eap 5.0 disable SSL2/3

skylah Apr 19, 2017 7:29 AM (in response to andey)

thank you for your reply.
But I already does it. and security report saying that My website enable to SSLv2 and v3.
Could you tell me how checking the sslProtocols setting?
Actions
3. Re: JBoss eap 5.0 disable SSL2/3

andey Apr 20, 2017 11:20 AM (in response to skylah)

When using Tomcat with the JSSE connectors, the SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml. The following example shows how the sslProtocol in an https connector is configured.
Tomcat 5 and 6 (prior to 6.0.38)
~~~
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
~~~

Tomcat 6 (6.0.38 and later) and 7
~~~
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />
~~~

If the sslEnabledProtocols or sslProtocols attributes are specified, only protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used.

Tomcat APR
When using Tomcat with the APR/Native connectors, the SSL protocol to be used can be configured in $TOMCAT_HOME/conf/server.xml. The following example shows how the SSLProtocol in an https connector is configured.
~~~
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" SSLProtocol="TLSv1" SSLCertificateFile="${catalina.base}/conf/localhost.crt" SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />
~~~

Configuration parameters are Apache Tomcat 7 Configuration Reference (7.0.77) - The HTTP Connector . The default is for the SSLProtocol attribute to be set to ALL, with other acceptable values being SSLv2, SSLv3, TLSv1 and SSLv2+SSLv3.
Actions

Go to original post