I hoping someone could help related to configuring JBoss 4.2.3.GA to disable weak & medium ciphers.
We've scanned JBoss with Nessus and it identified weak & medium ciphers on port 8443.
I was able to remove those scan results by limiting the ciphers. I added the following to the connector in server.xml
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Re-running the scan, 8443 is now good, unfortunately it's now detecting the weak ciphers on port 8091.
From best I can tell, I should be updating the uil2-service.xml. That's based on reading a few posts on the boards here such as http://community.jboss.org/thread/42986?tstart=0, as well as a few items that mention adding cipherAlgorithm as an attribute, or others that mention limiting the available suites by adding https.cipherSuites as a JVM option in run.conf.
None of these thus far have been able to help.
Can someone please help point me at the correct configuration option(s).
Thanks in advance,
The way we decided to move forward was with a proxy to handle the requests