1 Reply Latest reply on Jan 25, 2018 2:53 AM by paramjindal

    JBoss SSLHonorCipherOrder Unexpected Attribute

    pawan.it17

      Hello Everyone,

       

           We have recently moved to HTTPS and we are using Jboss 7.1.0 AS. We have the following standalone.xml configuration at our end.

       

      <subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">

                  <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>

                  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true"  >

      <ssl name="ssl" key-alias="tcedev" password="tcedev" certificate-key-file="C:\Programs\Siemens\certificates\.keystore" cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS,DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" protocol="TLSv2" verify-client="false"  />

                  </connector>

                  <virtual-server name="default-host" enable-welcome-root="false">

                      <alias name="localhost"/>

                      <alias name="example.com"/>

                      <rewrite pattern="^/$" substitution="/tc/webclient" flags="R=301,L"/>

                  </virtual-server>

              </subsystem>

       

      With this change, I see that the SSL cipher that gets picked up is not the one at the starting of the list of ciphers via the cipher-suite attribute. I googled and after some discussion with other colleagues, found out that this is a list which the server can serve. But what cipher is actually gets picked up is not something in the control of the server. Also, this attribute SSLHonorCipherOrder="On" has also popped up. Apparently having this attribute in the standalone.xml would make the client use the first one in the server available list, which the client can work with too.

       

      But after this change ( as follows ) is failing with Message: JBAS014788: Unexpected attribute 'SSLHonorCipherOrder' encountered.

       

                  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" enable-lookups="false" secure="true">

      <ssl name="ssl" key-alias="tcedev" password="tcedev" certificate-key-file="C:\Programs\Siemens\certificates\.keystore" cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS,DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" protocol="TLSv2" verify-client="false" SSLHonorCipherOrder="On" />

                  </connector>

       

      I tried putting the SSLHonorCipherOrder="On" on the connector XML element as well. But still the same issue.

       

      I am really stuck here. Any inputs can be of a lot of help to us. This is a related question of mine which has no answers either: java - JBoss Cipher Suite Change Not Reflecting - Stack Overflow

       

      Thanks,

      Pavan.