3 Replies Latest reply on Apr 27, 2010 10:03 PM by Ron Sigal

    Disable Weak Ciphers for PCI-DSS

    Sunil Babu Newbie

      We have to disable the weak ciphers in Jboss-4.2.3.GA (ejb3 application) for pci compliance. Can someone help me with the configuration or point me to a document that explain how to disable ciphers.

      Following is current connector

      <mbean code="org.jboss.remoting.transport.Connector"
       name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
       <depends>jboss.aop:service=AspectDeployer</depends>
       <attribute name="Configuration">
      
       <config>
      
       <invoker transport="sslsocket">
       <attribute name="serverSocketFactory">
       jboss.remoting:service=ServerSocketFactory,type=SSL
       </attribute>
       <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
       <attribute name="serverBindPort">3843</attribute>
       <attribute name="timeout">120000</attribute>
       </invoker>
      
       <handlers>
       <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
       </handlers>
      
       </config>
       </attribute>
       </mbean>



      I also tried with org.jboss.security.ssl.DomainServerSocketFactory and CipherSuites but it did not disable any ciphers.
      <mbean code="org.jboss.remoting.transport.Connector"
       name="jboss.remoting:type=Connector,transport=socket3843,handler=ejb3">
       <depends>jboss.aop:service=AspectDeployer</depends>
       <attribute name="Configuration">
      
       <config>
      
       <invoker transport="sslsocket">
       <attribute name="serverSocketFactoryBean"
       attributeClass="org.jboss.security.ssl.DomainServerSocketFactory"
       serialDataType="javaBean">
       <property name="CipherSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
       </attribute>
      
       <attribute name="serverBindAddress">${jboss.bind.address}</attribute>
       <attribute name="serverBindPort">3843</attribute>
       <attribute name="timeout">120000</attribute>
       </invoker>
      
       <handlers>
       <handler subsystem="AOP">org.jboss.aspects.remoting.AOPRemotingInvocationHandler</handler>
       </handlers>
      
       </config>
       </attribute>
       <!--property name="ciphers">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property-->
       </mbean>


        • 1. Re: Disable Weak Ciphers for PCI-DSS
          Ron Sigal Master

          Here are a couple of places to look:

          * "JavaTM Secure Socket Extension (JSSE) Reference Guide" at http://www.j2ee.me/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

          * javax.net.ssl.SSLServerSocket javadoc at http://www.j2ee.me/j2se/1.4.2/docs/api/javax/net/ssl/SSLServerSocket.html

          Hope that helps.

          • 2. Re: Disable Weak Ciphers for PCI-DSS
            Sunil Babu Newbie

            I spent lot of time trying to figure this out and hope this help someone.

             

            -Jboss-4.2.3.GA uses Remoting 2.2.2.SP8 and there is no configuration option or property to disable weak ciphers in this version.

            -This feature is added in Remoting 2.4.0.Beta2 https://jira.jboss.org/jira/browse/JBREM-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel.

             

            So My Options are

            1. Update the Remoting.jar to to 2.4.x  version but I did not find any document to do this( I was also worried about it's impact on my swing clients and webservice).

             

            2. Hack the Remoting 2.2.2.SP8 code and disable the weak ciphers.

             

            Required files: jboss-remoting.jar, jboss-common.jar, jboss-common.jar, SSLSocketServerInvoker.java
            

             

            Modify 2.2.2-SP8/src/main/org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.java file and add strong ciphers

               protected ServerSocket createServerSocket(int serverBindPort, int backlog, InetAddress bindAddress) throws IOException
               {
                  ServerSocket ss = getServerSocketFactory().createServerSocket(serverBindPort, backlog, bindAddress);
                    if (ss instanceof SSLServerSocket) {
                            SSLServerSocket sss = (SSLServerSocket) ss;
                            String[] enabledCipherSuits = {"SSL_RSA_WITH_RC4_128_MD5","SSL_RSA_WITH_RC4_128_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA"};
                            sss.setEnabledCipherSuites(enabledCipherSuits);
                    }
             
                  return ss;
               }
            

             

            Compile the file

            javac -cp jboss-remoting.jar:jboss-common.jar:log4j.jar SSLSocketServerInvoker.java

             

            Update Jar with new file

            jar uf jboss-remoting.jar org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.class

             

            3. Update my server to Jboss-5x and use "enabledCipherSuites" property (I am working on this now ).

            • 3. Re: Disable Weak Ciphers for PCI-DSS
              Ron Sigal Master

              Hi Sunil

               

               

              1. Update the Remoting.jar to to 2.4.x  version but I did not find any document to do this( I was also worried about it's impact on my swing clients and webservice).

               

              Updating is just a matter of replacing jboss-remoting.jar.  In the context of the Application Server (4.2.x), you want to replace it in $JBOSS_HOME/server/$CONFIG/lib and $JBOSS_HOME/client.  Note, also, that client/jbossall-client.jar contains the Remoting files, so you would want to put jboss-remoting.jar in front of jbossall-client.jar on the classpath.

               

              In principle, it should be possible to just drop in a new jboss-remoting.jar.  I've heard of people using Remoting 2.4/2.5 with AS 4.2.x, and I'm not aware of any problems.  No warranty, of course.

               

              There's another alternative, though.  You can configure Remoting to use a custom ServerSocketFactory, so you could write a ServerSocketFactory which sets the enabledCipherSuites property before returning the ServerSocket.  See Section 5.7.3. "Server side configuration in the JBoss Application Server" in the Remoting Guide: http://docs.jboss.org/jbossremoting/2.2.3.SP2/html/

               

              -Ron