1

As non-experts on web server administration and security, we are struggling to update our JBoss 5.1.0 GA web server configuration to meet Diffie-Hellman standards. JBoss was installed for us as part of the middle tier in a larger platform. We have seen documentation for other servers here, a solution for another version of JBoss here, and something that worked for the same version of JBoss for the poster but has not worked for us here. The connector tag in our original server.xml file has sslProtocol = "TLS" and there is no ciphers attribute at all.

We have tried changing the sslProtocol = "TLS" setting to the plural sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" instead and restarting JBoss, but this appears to have no effect. Does anyone know of useful free resources out there to make JBoss 5.1.0 GA meet Diffie-Hellman standards? Thank you.

Community
  • 1
user2072931
  • 145
  • 1
  • 2
  • 6
  • https://access.redhat.com/solutions/1463083 – Michael Hampton Sep 10 '15 at 18:00
  • Thank you, @Michael Hampton. We tried adding the list of ciphers to the connector tag in server.xml, but the suggested fix is still not working for us (assuming, as non-experts, we managed to implement it correctly). Are there any other free resources out there that we might be able to use? Any other common reasons why that attempted fix would not work? Thanks again. – user2072931 Sep 14 '15 at 13:06
  • For reference, our Java environment on this server is: java version "1.6.0_39", Java(TM) SE Runtime Environment (build 1.6.0_39-b04), and Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode). We have installed (correctly, we think as non-experts) the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6. – user2072931 Sep 14 '15 at 16:36

2 Answers2

1

For anyone else who has run into this with JBoss 5.1.0 GA, the settings that ended up working for us were similar to this:

<Connector protocol="HTTP/1.1" SSLEnabled="true" port="8543" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false" keystoreFile="/opt/novell/idm/jre/bin/mycert.keystore" keystorePass="mypassword" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_W ITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_W ITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_1 28_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

user2072931
  • 145
  • 1
  • 2
  • 6
  • 2
    You disabled traditional Diffie-Hellman ciphersuites completely (but kept Elliptic Curve Diffie-Hellman). That may well be the least-bad option but it does mean you may lose forward secrecy with some older clients. – Peter Green Jan 28 '16 at 10:19
1

You can actually also increase the DHE size (1024 & 2048 in Java 8 and up to 9192 in Java 9). And you can provide custom made DH Parameters in Java8+, as described here: https://serverfault.com/a/798036/4591

Community
  • 1
eckes
  • 835
  • 9
  • 21