AnsweredAssumed Answered

JBoss EAP 6.0.1 cipher-suite configuration not working as expected (at all?)

Question asked by nicole wells on Feb 20, 2018

Hello All,

 

Because of the attention that logjam and Logjam: How Diffie-Hellman Fails in Practice has received in recent days, I decided to harden the SSL configuration on my JBoss EAP 6.0.1 system as described here:13.2.5. SSL Connector Reference

cross referenced to here: http://www.coderanch.com/t/613062/JBoss/configuring-SSL-Https-Jboss

 

The relevant portion of my standalone.xml is included in obfuscated form below:

 

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">  
  <ssl 
  key-alias="**********" 
  password="**********" 
  certificate-key-file="/var/**********/**********.jks" 
  protocol="TLSv1.2" 
  cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AE_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA" 
  /> 
</connector>

 

 

The protocol restriction is working but the cipher-suite attribute has, as far as I can tell, no effect. I have reduced the list down to just two suites but the list returned by jboss administration certification on port 8443 is always the same. I have tested the system against Qualys SSL Labs and the list of cipher suites returned includes numerous weak of ciphers not included in my list.

 

The TestSSLServer.jar from this website returns the problematic cipher suites in their list as well:

 

java -jar TestSSLServer.jar **********.xx 443  
Supported versions: TLSv1.2 
Deflate compression: no 
Supported cipher suites (ORDER IS NOT SIGNIFICANT): 
  TLSv1.2 
     RSA_WITH_RC4_128_MD5 
     RSA_WITH_RC4_128_SHA 
     RSA_WITH_3DES_EDE_CBC_SHA 
     DHE_RSA_WITH_3DES_EDE_CBC_SHA 
     RSA_WITH_AES_128_CBC_SHA 
     DHE_RSA_WITH_AES_128_CBC_SHA 
     RSA_WITH_AES_128_CBC_SHA256 
     DHE_RSA_WITH_AES_128_CBC_SHA256 
     TLS_ECDHE_RSA_WITH_RC4_128_SHA 
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
---------------------- 
Server certificate(s): 
  9b6e185c8598aec67949e7b13183fc87637fe86b: CN=**********.xx, OU=PositiveSSL, OU=Domain Control Validated 
---------------------- 
Minimal encryption strength:     strong encryption (96-bit or more) 
Achievable encryption strength:  strong encryption (96-bit or more) 
BEAST status: protected 
CRIME status: protected 

 

 

How can I tell JBoss to stop using these insecure cipher suites?

 

Help me on this!

 

Thanks!

Outcomes