3 Replies Latest reply on Apr 20, 2017 11:20 AM by Anup Dey

    JBoss eap 5.0 disable SSL2/3

    skylah lee Newbie

      Hello

       

      I am using JBoss eap 5.0 and using jdk 1.6

      I can't upgrade of all now. Is it possible disable to SSL2 and 3 ?

      already  server.xml configuration setting done. but it doesn't work.

      how can I do?

       

      plz help

        • 1. Re: JBoss eap 5.0 disable SSL2/3
          Anup Dey Apprentice

          you can disabling SSL and using only TLSv1.1 or TLSv1.2

           

          JBoss Web in EAP 4/5 and JBoss 4.x/5.x products

           

          Note: the following mitigation instructions are only applicable if you are using the JSSE connectors for HTTPS configuration. Refer to the Tomcat APR section if you are using native connectors.

           

          For EAP 4/5 and JBoss 4/5.x products based on EAP 4/5, SSLv2 and SSLv3 can be disabled by configuring the https connectors to have the sslProtocols attribute set to "TLSv1,TLSv1.1,TLSv1.2" in the configuration located within $JBOSS_HOME/jboss-as/server/$JBOSS_PROFILE/deploy

          /jbossweb.sar/server.xml. For example:

           

          ~~~

                <Connector protocol="HTTP/1.1" SSLEnabled="true"

                     port="8443" address="${jboss.bind.address}"

                     scheme="https" secure="true" clientAuth="false"

                     keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"

                     keystorePass="rmi+ssl"

                     sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

          ~~~

           

          The sslProtocols attribute specifies the versions of the SSL protocol to use. If not specified, the default is "TLS". Note TLSv1.2 is only available when using JDK 7 and higher.

           

          For more information see : JBoss Web Configuration Reference - The HTTP Connector

          • 2. Re: JBoss eap 5.0 disable SSL2/3
            skylah lee Newbie

            thank you for your reply.

            But I already does it. and security report saying that My website enable to SSLv2 and v3.

            Could you tell me how checking the sslProtocols setting?

            • 3. Re: JBoss eap 5.0 disable SSL2/3
              Anup Dey Apprentice

              When using Tomcat with the JSSE connectors, the SSL protocol to be used can be configured via $TOMCAT_HOME/conf/server.xml. The following example shows how the sslProtocol in an https connector is configured.

              Tomcat 5 and 6 (prior to 6.0.38)

              ~~~

              <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"

                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

              ~~~

               

              Tomcat 6 (6.0.38 and later) and 7

              ~~~

              <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" />

              ~~~

               

              If the sslEnabledProtocols or sslProtocols attributes are specified, only protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used.

               

              Tomcat APR

              When using Tomcat with the APR/Native connectors, the SSL protocol to be used can be configured in $TOMCAT_HOME/conf/server.xml. The following example shows how the SSLProtocol in an https connector is configured.

              ~~~

              <Connector port="443" maxHttpHeaderSize="8192"
                maxThreads="150"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                SSLEnabled="true"
                SSLProtocol="TLSv1"
                SSLCertificateFile="${catalina.base}/conf/localhost.crt"
                SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" />

              ~~~

               

              Configuration parameters are Apache Tomcat 7 Configuration Reference (7.0.77) - The HTTP Connector . The default is for the SSLProtocol attribute to be set to ALL, with other acceptable values being SSLv2, SSLv3, TLSv1 and SSLv2+SSLv3.