3 Replies Latest reply on Jan 13, 2016 7:47 AM by pjhavariotis

    JBoss eap 6.4 how to enable sslv2/3

    tihomir91

      Hello Colleagues,

       

      I am using JBoss eap 6.4 and my standalone jms client is sending sslv2 hello message and it is rejected by the server. I am able to run the client with higher java, but it is requirement for me to use java 6. Java 6 is sending sslv2 hello message when ssl handshake is started. My question is how can I enable sslv2/3 on the server, or how can i "force" java 6 to send tls hello message like java 7 for example.

       

      Thank you,

      Tihomir

        • 1. Re: JBoss eap 6.4 how to enable sslv2/3
          pjhavariotis

          Due to the POODLE vulnerability, Red Hat recommends SSLv3 to be disabled. For more info on this, please check the following:

          POODLE: SSLv3 vulnerability (CVE-2014-3566) - Red Hat Customer Portal

          In JBoss EAP 6.4, SSLv3 is disabled by default for the web subsystem.

          However you can enable it explicitly by adding "SSLv3" to the protocol list in the ssl connectors defined in the web subsystem.

          • 2. Re: JBoss eap 6.4 how to enable sslv2/3
            tihomir91

            Dear Panagiotis,

             

            Thank you for your reply! Yes you are correct but according to java 6 specification SSLv2Hello protocol should be supported by servers which support java 6. Anyway I tried to add "SSLv3" to protocol list but the server is unable to start. Can you please help me how to follow your suggestion? This is part of my standalone-full.xml where my connectors and acceptors are defined:

             

            <subsystem xmlns="urn:jboss:domain:messaging:1.4">
                        <hornetq-server>
                            <persistence-enabled>true</persistence-enabled>
                            <security-enabled>false</security-enabled>
                            <cluster-user>JBossUser</cluster-user>
                            <cluster-password>imsadm12</cluster-password>
                            <journal-type>NIO</journal-type>
                            <journal-min-files>2</journal-min-files>

                            <connectors>
                                <netty-connector name="netty" socket-binding="messaging">
                                    <param key="ssl-enabled" value="true"/>
                                    <param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
                                    <param key="key-store-password" value="imsadm12"/>
                                </netty-connector>
                                <netty-connector name="netty-throughput" socket-binding="messaging-throughput">
                                    <param key="batch-delay" value="50"/>
                                    <param key="ssl-enabled" value="true"/>
                                    <param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
                                    <param key="key-store-password" value="imsadm12"/>
                                </netty-connector>
                                <in-vm-connector name="in-vm" server-id="0"/>
                            </connectors>

                            <acceptors>
                                <netty-acceptor name="netty" socket-binding="messaging">
                                    <param key="ssl-enabled" value="true"/>
                                    <param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
                                    <param key="key-store-password" value="imsadm12"/>
                                </netty-acceptor>
                                <netty-acceptor name="netty-throughput" socket-binding="messaging-throughput">
                                    <param key="key-store-path" value="C:\JBOSS_EAP\Sec\truststore.ks"/>
                                    <param key="key-store-password" value="imsadm12"/>
                                    <param key="batch-delay" value="50"/>
                                    <param key="ssl-enabled" value="true"/>
                                    <param key="direct-deliver" value="false"/>
                                </netty-acceptor>
                                <in-vm-acceptor name="in-vm" server-id="0"/>
                            </acceptors>

                            <security-settings>
                                <security-setting match="#">
                                    <permission type="send" roles="guest"/>
                                    <permission type="consume" roles="guest"/>
                                    <permission type="createNonDurableQueue" roles="guest"/>
                                    <permission type="deleteNonDurableQueue" roles="guest"/>
                                </security-setting>
                            </security-settings>

                            <address-settings>
                                <address-setting match="#">
                                    <dead-letter-address>jms.queue.DLQ</dead-letter-address>
                                    <expiry-address>jms.queue.ExpiryQueue</expiry-address>
                                    <redelivery-delay>0</redelivery-delay>
                                    <max-size-bytes>10485760</max-size-bytes>
                                    <page-size-bytes>2097152</page-size-bytes>
                                    <address-full-policy>PAGE</address-full-policy>
                                    <message-counter-history-day-limit>10</message-counter-history-day-limit>
                                </address-setting>
                            </address-settings>

                            <jms-connection-factories>
                                <connection-factory name="InVmConnectionFactory">
                                    <connectors>
                                        <connector-ref connector-name="in-vm"/>
                                    </connectors>
                                    <entries>
                                        <entry name="java:/ConnectionFactory"/>
                                    </entries>
                                </connection-factory>
                                <connection-factory name="RemoteConnectionFactory">
                                    <connectors>
                                        <connector-ref connector-name="netty"/>
                                    </connectors>
                                    <entries>
                                        <entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>
                                    </entries>
                                </connection-factory>
                                <pooled-connection-factory name="hornetq-ra">
                                    <transaction mode="xa"/>
                                    <connectors>
                                        <connector-ref connector-name="in-vm"/>
                                    </connectors>
                                    <entries>
                                        <entry name="java:/JmsXA"/>
                                    </entries>
                                </pooled-connection-factory>
                            </jms-connection-factories>

                            <jms-destinations>
                                <jms-queue name="ExpiryQueue">
                                    <entry name="java:/jms/queue/ExpiryQueue"/>
                                </jms-queue>
                                <jms-queue name="DLQ">
                                    <entry name="java:/jms/queue/DLQ"/>
                                </jms-queue>
                                <jms-queue name="TestQueue">
                                    <entry name="java:jboss/exported/TestQueue"/>
                                    <durable>true</durable>
                                </jms-queue>
                            </jms-destinations>
                        </hornetq-server>
                    </subsystem>

             

            Where should I import SSLv3 protocol to be accepted by the server?

             

            Thank you for your time!

            Tihomir

            • 3. Re: JBoss eap 6.4 how to enable sslv2/3
              pjhavariotis

              My initial reply was about WEB subsystem.

              Regarding HornetQ communications (Netty), as far as I know, from EAP 6 update 3, SSLv3 will not be allowed.

              In the following link (section 18.2.3) you can see how you can  configure Netty SSL.

              18.2. Configuration of Transports