The renegotiation is disabled it can't be configured.
On my server is enabled, the security personnel could easily renegotiate, beyond software https://www.ssllabs.com/ssltest/analyze.html?d=xxxxxxx.com
Secure Renegotiation Supported Secure Client-Initiated Renegotiation Supported DoS DANGER (more info) Insecure Client-Initated Renegotiation No BEAST attack Vulnerable INSECURE (more info) Compression No RC4 Yes NOT DESIRABLE (more info) Forward Secrecy (Experimental) No NOT DESIRABLE (more info) Next Protocol Negotiation No Session resumption Yes Session tickets No OCSP stapling No Strict Transport Security No Long handshake intolerance No TLS extension intolerance No TLS version intolerance TLS 2.98 SSLv2 handshake compatibility Yes
I managed to improve the security indicator, limiting the cipher-suite and limiting protocols ssl:
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="443"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="********" certificate-key-file="*********" cipher-suite="SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5" protocol="TLSv1.1,TLSv1,SSLv3,TLSv1.2" verify-client="false"/>
<virtual-server name="default-host" enable-welcome-root="false">
This corrected the
BEAST attack Not vulnerable (more info)
But the problem below continue
Secure Client-Initiated Renegotiation Supported DoS DANGER (more info)
1 of 1 people found this helpful
According to the code CVE-2009-3555 has been fixed in 2009 you should check with people doing the ssltest what they are doing to find on this test.
How to Disable Secure Client-Initiated Renegotiation?
This option can be used to DoS attack.
I used the following parameters in standalone.conf
# Security ISSUES
But the server continues accept Renegotiation.
My Question is about CVE-2011-1473
CVE-2011-1473 is openssl and you use native="false" so I don't know what you are looking for :-(
All system variables you have been using prevent unsafe renegotiation (CVE-2009-3555) and that they are not related to CVE-2011-1473
I am facing the same issue when I run a web vulnerability scan. It alerts for an SSL/TLS renegotiation attack , there is no way to disable this feature under the standalone.xml configuration file of JBOSS 7. Is there any other way I can disable the renegotiation capability of the server?
Thank you for the solution. I added a system property in my configuration as you suggested but the scan still gives me an alert that the system is vulnerable to SSl/TLS renegotiation. I also found out that the version of OpenSSL that I used to generate my keystore is 0.98e. Do you think the version of OpenSSL might be one cause of the vulnerability?
are you using native="false"?