0 Replies Latest reply on Sep 6, 2012 11:41 AM by Tony Tony

    Protect my app from BEAST attack

    Tony Tony Newbie

      The use of SSLv3.0/TLSv1.0 in combination with certain encryption techniques (CBC block ciphers) may allow for an attacker to predict the so-called Initialization Vector of subsequent SSL packets. Using this information the attacker can access the secure session of another user. This attack, named BEAST (Browser Exploit Against SSL/TLS), is aimed at the user’s browser and not at the web server. Nevertheless, it is possible to take countermeasures at the server side as well to prevent a successful attack.

      The complete solution to this problem is disabling or deprioritizing the support for vulnerable encryption ciphers (CBC block ciphers) when using SSLv3.0/TLSv1.0. Commonly, this can be achieved by prioritizing RC4 ciphers in the cipher negotiation process.

      For Apache web servers that support SSLv3.0/TLSv1.0 this can be configured by adding the following configuration:

      SSLProtocol All SSlv2
      SSLHonorCipherOrder On
      SSLCipherSuite RC4-SHA:HIGH:!ADH

      For Apache web servers that support SSLv3.1/TLSv1.1 and higher, it is recommended to use the following configuration:

      SSLProtocol All SSlv2
      SSLHonorCipherOrder On 
      SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM

      As far as I know, JBoss 7 is based on a version of Apache that supports SSLv3.1/TLSv1.1 (maybe I am wrong), so the second alternative can be applied to JBoss 7.

      My question is: Where/How should I configure it?