0 Replies Latest reply on Mar 26, 2013 7:36 AM by firstsense

    Help needed in disabling weak ciphers for RMI over SSL in JBoss 4.2.3 GA

    firstsense
    firstsense Mar 26, 2013 7:36 AM

      I have ran SSLScan on my Jboss server 4.2.3 GA and observed that few weak ciphers are enabled. The port on which the scan was ran is configured for RMI with SSL using the JRMPInvoker in conf/jboss-service.xml.

       

      Configuration Snippet:

       

         <!-- RMI/JRMP invoker -->

         <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"

            name="jboss:service=invoker,type=jrmp">

            <attribute name="RMIObjectPort">4444</attribute>

            <attribute name="ServerAddress">${jboss.bind.address}</attribute>

            <!--

            <attribute name="RMIClientSocketFactory">custom</attribute>

            <attribute name="RMIServerSocketFactory">custom</attribute>

            <attribute name="RMIServerSocketAddr">custom</attribute>

            <attribute name="SecurityDomain">ssl-domain-name</attribute>

            -->

            <depends>jboss:service=TransactionManager</depends>

         </mbean>

       

       

         <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"

            name="jboss:service=invoker,type=jrmp,socketType=SSL">

            <attribute name="RMIObjectPort">14445</attribute>

       

       

            <attribute name="ServerAddress">${jboss.bind.address}</attribute>

       

       

            <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory</attribute>

            <attribute name="RMIServerSocketFactory">org.jboss.security.ssl.RMISSLServerSocketFactory</attribute>

            <attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>

            <depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>

            <depends>jboss:service=TransactionManager</depends>

         </mbean>

       

       

      SSLScan output:

       

      Testing SSL server 16.166.49.123 on port 14456

       

        Supported Server Cipher(s):

          Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA

          Accepted  SSLv3  128 bits  AES128-SHA

          Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA

          Accepted  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA

          Accepted  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA

          Accepted  SSLv3  168 bits  DES-CBC3-SHA

          Accepted  SSLv3  56 bits   DES-CBC-SHA

          Accepted  SSLv3  40 bits   EXP-DES-CBC-SHA

          Accepted  SSLv3  128 bits  RC4-SHA

          Accepted  SSLv3  128 bits  RC4-MD5

          Accepted  SSLv3  40 bits   EXP-RC4-MD5

          Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA

          Accepted  TLSv1  128 bits  AES128-SHA

          Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA

          Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA

          Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA

          Accepted  TLSv1  168 bits  DES-CBC3-SHA

          Accepted  TLSv1  56 bits   DES-CBC-SHA

          Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA

          Accepted  TLSv1  128 bits  RC4-SHA

          Accepted  TLSv1  128 bits  RC4-MD5

          Accepted  TLSv1  40 bits   EXP-RC4-MD5

       

       

        Prefered Server Cipher(s):

          SSLv3  128 bits  DHE-RSA-AES128-SHA

          TLSv1  128 bits  DHE-RSA-AES128-SHA

       

       

      I would like to disable all those ciphers which are less than 128 bits strength.

      I have tried the following

      1. Added CiperSuites property in JRMPInvoker mbean

      <property name="CiperSuites">SSL_RSA_WITH_RC4_128_MD5</property>

      2. Moved the JRMPInvoker mbean to deploy/jrmp-invoker-service.xml

      None of the above worked for me. I still see that all the ciphers are accepted by the server on the specified port.

       

      Any help in configuring the JBoss for RMI with SSL would be highly appreciated.

       

      Thanks in advance.