1 Reply Latest reply on Feb 5, 2011 12:36 AM by Rob Banfield

    Configure JBoss 4.2.3.GA to remove weak & medium ciphers

    Rob Banfield Newbie

      Hi,

       

      I hoping someone could help related to configuring JBoss 4.2.3.GA to disable weak & medium ciphers.

       

      We've scanned JBoss with Nessus and it identified weak & medium ciphers on port 8443.

       

      I was able to remove those scan results by limiting the ciphers. I added the following to the connector in server.xml

       

      ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

       

      Re-running the scan, 8443 is now good, unfortunately it's now detecting the weak ciphers on port 8091.

       

      From best I can tell, I should be updating the uil2-service.xml. That's based on reading a few posts on the boards here such as http://community.jboss.org/thread/42986?tstart=0, as well as a few items that mention adding cipherAlgorithm as an attribute, or others that mention limiting the available suites by adding https.cipherSuites as a JVM option in run.conf.

       

      None of these thus far have been able to help.

       

      Can someone please help point me at the correct configuration option(s).

       

      Thanks in advance,

      -Rob