Help needed in disabling weak ciphers for RMI over SSL in JBoss 4.2.3 GA
firstsense Mar 26, 2013 7:36 AMI have ran SSLScan on my Jboss server 4.2.3 GA and observed that few weak ciphers are enabled. The port on which the scan was ran is configured for RMI with SSL using the JRMPInvoker in conf/jboss-service.xml.
Configuration Snippet:
<!-- RMI/JRMP invoker -->
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp">
<attribute name="RMIObjectPort">4444</attribute>
<attribute name="ServerAddress">${jboss.bind.address}</attribute>
<!--
<attribute name="RMIClientSocketFactory">custom</attribute>
<attribute name="RMIServerSocketFactory">custom</attribute>
<attribute name="RMIServerSocketAddr">custom</attribute>
<attribute name="SecurityDomain">ssl-domain-name</attribute>
-->
<depends>jboss:service=TransactionManager</depends>
</mbean>
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp,socketType=SSL">
<attribute name="RMIObjectPort">14445</attribute>
<attribute name="ServerAddress">${jboss.bind.address}</attribute>
<attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory</attribute>
<attribute name="RMIServerSocketFactory">org.jboss.security.ssl.RMISSLServerSocketFactory</attribute>
<attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>
<depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>
<depends>jboss:service=TransactionManager</depends>
</mbean>
SSLScan output:
Testing SSL server 16.166.49.123 on port 14456
Supported Server Cipher(s):
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted SSLv3 40 bits EXP-DES-CBC-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 40 bits EXP-RC4-MD5
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Accepted TLSv1 40 bits EXP-DES-CBC-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 40 bits EXP-RC4-MD5
Prefered Server Cipher(s):
SSLv3 128 bits DHE-RSA-AES128-SHA
TLSv1 128 bits DHE-RSA-AES128-SHA
I would like to disable all those ciphers which are less than 128 bits strength.
I have tried the following
1. Added CiperSuites property in JRMPInvoker mbean
<property name="CiperSuites">SSL_RSA_WITH_RC4_128_MD5</property>
2. Moved the JRMPInvoker mbean to deploy/jrmp-invoker-service.xml
None of the above worked for me. I still see that all the ciphers are accepted by the server on the specified port.
Any help in configuring the JBoss for RMI with SSL would be highly appreciated.
Thanks in advance.