3 Replies Latest reply on Jan 28, 2013 4:20 AM by Darran Lofthouse

    How to disable weak ciphers in Jboss as 7?

    sarula bao Newbie

      I need to disable weak ciphers in my Jboss 7 SSL.

       

      I add content like below in my standalone.xml :

       

      - <security-domain name="jboss-web-policy" cache-type="default">

      - <authorization>

      <policy-module code="Delegating" flag="required" />

      </authorization>

      <jsse keystore-password="pemssl" keystore-url="../standalone/configuration/pemserver.keystore" truststore-url="../standalone/configuration/pemserver.keystore" cipher-suites="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" protocols="SSL" />

      </security-domain>

       

       

      But it is not working.

       

      Can someone tell me how should I do?

       

      Thanks

        • 2. Re: How to disable weak ciphers in Jboss as 7?
          Michael Yakobi Newbie

          After reading that this ins't yet supported in JBoss 7, I did some trail and error and got this to work by specifying "cipher-suite" instead of "cipher-suites" as you wrote above or "ciphers" as documented in http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html.

           

          {code:xml}

          <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

              <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

              <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

              <ssl name="ssl" password="changeit" certificate-key-file="${jboss.server.config.dir}/wfa.keystore" cipher-suite="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1" verify-client="false"/>

              </connector>

              <virtual-server name="default-host" enable-welcome-root="true">

              <alias name="localhost"/>

              </virtual-server>

          </subsystem>                                                                                       

          {code}

           

          Note that accordig to https://issues.jboss.org/browse/AS7-5501 this isn't yet supported - so I don't really understand how come it is working for me

          • 3. Re: How to disable weak ciphers in Jboss as 7?
            Darran Lofthouse Master

            The reason that it is working for you is because you are configuring JBoss Web which is supported - the Jira issue is in reference to the HTTP server used for management and the admin console in which case specifying the cipers is not not currently supported.