2 Replies Latest reply on Oct 19, 2011 5:39 AM by Gabriel Rabbaa

    I need help configuring jboss to disable the weak ciphers

    Quentin Beach Newbie

      I am unfamiliar with jboss. We are using it as the web server for a software package that we bought. The vendor uses it straight out of the box and does not support it. We have just gone through a security audit and I need to find out how to shut down the weak ciphers on our SSL. We are running on a Windows platform and using jboss 5.01GA. Below are the results of the audit and what chiphers they want disabled. We have been able to do this on our IIS servers but I need to find out how to do this for jboss. Is there an .xml file that I can edit or some kind of interface where I can configure this?

       

      Thanks,

       

      Quentin

       

      Here is the output of the different types of SSL certs accepted by the machine.  I stand corrected, it looks like SSLv2.0 has been stopped, however it is the accepted hash method that we need to fix.  Anything designated by "**" indicates a weak hash that should be disabled.

       

         SSLv3:RC4-MD5 - ENABLED - STRONG 128 bits

         SSLv3:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits

      ** SSLv3:EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 56 bits **

         SSLv3:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits

         SSLv3:DES-CBC3-SHA - ENABLED - STRONG 168 bits

         SSLv3:RC4-SHA - ENABLED - STRONG 128 bits

      ** SSLv3:EXP-EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 40 bits **

      ** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **

      ** SSLv3:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **

      ** SSLv3:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **

         SSLv3:AES128-SHA - ENABLED - STRONG 128 bits

       

         TLSv1:RC4-MD5 - ENABLED - STRONG 128 bits

         TLSv1:EDH-RSA-DES-CBC3-SHA - ENABLED - STRONG 168 bits

      ** TLSv1:EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 56 bits **

         TLSv1:DHE-RSA-AES128-SHA - ENABLED - STRONG 128 bits

         TLSv1:DES-CBC3-SHA - ENABLED - STRONG 168 bits

         TLSv1:RC4-SHA - ENABLED - STRONG 128 bits

      ** TLSv1:EXP-EDH-RSA-DES-CBC-SHA - ENABLED - WEAK 40 bits **

      ** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **

      ** TLSv1:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **

      ** TLSv1:EXP-DES-CBC-SHA - ENABLED - WEAK 40 bits **

         TLSv1:AES128-SHA - ENABLED - STRONG 128 bits