3 Replies Latest reply on Jan 28, 2013 4:20 AM by Darran Lofthouse

    How to disable weak ciphers in Jboss as 7?

    sarula bao Newbie

      I need to disable weak ciphers in my Jboss 7 SSL.


      I add content like below in my standalone.xml :


      - <security-domain name="jboss-web-policy" cache-type="default">

      - <authorization>

      <policy-module code="Delegating" flag="required" />


      <jsse keystore-password="pemssl" keystore-url="../standalone/configuration/pemserver.keystore" truststore-url="../standalone/configuration/pemserver.keystore" cipher-suites="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA" protocols="SSL" />




      But it is not working.


      Can someone tell me how should I do?



        • 2. Re: How to disable weak ciphers in Jboss as 7?
          Michael Yakobi Newbie

          After reading that this ins't yet supported in JBoss 7, I did some trail and error and got this to work by specifying "cipher-suite" instead of "cipher-suites" as you wrote above or "ciphers" as documented in http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html.



          <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">

              <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

              <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

              <ssl name="ssl" password="changeit" certificate-key-file="${jboss.server.config.dir}/wfa.keystore" cipher-suite="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1" verify-client="false"/>


              <virtual-server name="default-host" enable-welcome-root="true">

              <alias name="localhost"/>





          Note that accordig to https://issues.jboss.org/browse/AS7-5501 this isn't yet supported - so I don't really understand how come it is working for me

          • 3. Re: How to disable weak ciphers in Jboss as 7?
            Darran Lofthouse Master

            The reason that it is working for you is because you are configuring JBoss Web which is supported - the Jira issue is in reference to the HTTP server used for management and the admin console in which case specifying the cipers is not not currently supported.