java - What is the correct JBoss EAP 6.0.1 cipher-suite configuration for mitigation of Logjam / weakdh.org? -

-

because of attention logjam , website https://weakdh.org/ (logjam: how diffie-hellman fails in practice) has received in recent days, decided harden ssl configuration on jboss eap 6.0.1 system described here:

13.2.5. ssl connector reference: https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/6/html/administration_and_configuration_guide/ssl_connector_reference1.html

cross referenced here: http://www.coderanch.com/t/613062/jboss/configuring-ssl-https-jboss

the relevant portion of standalone.xml included in obfuscated form below:

      <connector name="https" protocol="http/1.1" scheme="https"      socket-binding="https" secure="true">       <ssl        key-alias="**********"        password="**********"        certificate-key-file="/var/**********/**********.jks"        protocol="tlsv1.2"        cipher-suite="tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_dhe_rsa_with_aes_128_gcm_sha256,tls_dhe_dss_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_128_sha256,tls_ecdhe_ecdsa_with_aes_128_sha256,tls_ecdhe_rsa_with_aes_128_sha,tls_ecdhe_ecdsa_with_aes_128_sha,tls_ecdhe_rsa_with_ae_256_sha384,tls_ecdhe_ecdsa_with_aes_256_sha384,tls_ecdhe_rsa_with_aes_256_sha,tls_ecdhe_ecdsa_with_aes_256_sha,tls_dhe_rsa_with_aes_128_sha256,tls_dhe_rsa_with_aes_128_sha,tls_dhe_dss_with_aes_128_sha256,tls_dhe_rsa_with_aes_256_sha256,tls_dhe_dss_with_aes_256_sha,tls_dhe_rsa_with_aes_256_sha"        />       </connector>

the protocol restriction working cipher-suite attribute has, far can tell, no effect. have reduced list down 2 suites list returned jboss on port 8443 same. have tested system against qualys ssl labs , list of cipher suites returned includes numerous weak of ciphers not included in list.

 cipher suites (sorted strength; server has no preference)  tls_rsa_with_rc4_128_md5 (0x4)   weak     128  tls_rsa_with_rc4_128_sha (0x5)   weak     128  tls_rsa_with_aes_128_cbc_sha (0x2f)     128  tls_dhe_rsa_with_aes_128_cbc_sha (0x33)   dh 768 bits (p: 96, g: 96, ys: 96)   fs   insecure     128  tls_ecdhe_rsa_with_rc4_128_sha (0xc011)   weak     128  tls_ecdhe_rsa_with_aes_128_cbc_sha (0xc013)   ecdh 571 bits (eq. 15360 bits rsa)   fs     128  tls_rsa_with_3des_ede_cbc_sha (0xa)     112  tls_dhe_rsa_with_3des_ede_cbc_sha (0x16)   dh 768 bits (p: 96, g: 96, ys: 96)   fs   insecure     112  tls_ecdhe_rsa_with_3des_ede_cbc_sha (0xc012)   ecdh 571 bits (eq. 15360 bits rsa)   fs     112

update: tried adjusting configuration via cli in hope might different:

 /subsystem=web/connector=https/ssl=configuration/:write-attribute(name=cipher-suite, value="tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha")

which outputs (corresponds new standalone.xml):

 [standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration/:read-resource(recursive=true,proxies=false,include-runtime=true,include-defaults=true)  {       "outcome" => "success",       "result" => {            "ca-certificate-file" => undefined,            "ca-certificate-password" => undefined,            "ca-revocation-url" => undefined,            "certificate-file" => undefined,            "certificate-key-file" => "/var/xxxx/xxxx-xx/xxxx.jks",            "cipher-suite" => "tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha",            "key-alias" => "xxxx",            "keystore-type" => undefined,            "name" => undefined,            "password" => "****",            "protocol" => "tlsv1.2",            "session-cache-size" => undefined,            "session-timeout" => undefined,            "truststore-type" => undefined,            "verify-client" => "false",            "verify-depth" => undefined       },       "response-headers" => {"process-state" => "reload-required"}  }

but nmap using command:

 nmap -p 8443 -a --script ssh-hostkey,ssh2-enum-algos,sshv1,ssl-cert,ssl-date,ssl-enum-ciphers,ssl-google-cert-catalog,ssl-heartbleed,ssl-known-key,sslv2 xxxx.de

insists other cipher-suites still active:

 starting nmap 6.47 ( http://nmap.org ) @ 2015-05-31 09:41 w. europe daylight time   nmap scan report xxxx.de (x.x.x.x)  host (0.031s latency).   port     state service  version  8443/tcp open  ssl/http apache tomcat/coyote jsp engine 1.1   | ssl-cert: subject: commonname=xxxx.de  | issuer: commonname=comodo rsa domain validation secure server ca/organizationname=comodo ca limited/stateorprovincename=greater manchester/countryname=gb  | public key type: rsa  | public key bits: 2048  | not valid before: 2015-05-27t23:00:00+00:00  | not valid after:  2016-05-21t22:59:59+00:00  | md5:   7ac1 b1a9 4fd8 c438 0bce 0e82 bb2a 5e06  |_sha-1: 9b6e 185c 8598 aec6 7949 e7b1 3183 fc87 637f e86b  | ssl-enum-ciphers:   |   tlsv1.0: no supported ciphers found  |   tlsv1.2:   |     ciphers:   |       tls_dhe_rsa_with_3des_ede_cbc_sha - strong  |       tls_dhe_rsa_with_aes_128_cbc_sha - strong  |       tls_dhe_rsa_with_aes_128_cbc_sha256 - strong  |       tls_ecdhe_rsa_with_3des_ede_cbc_sha - strong  |       tls_ecdhe_rsa_with_aes_128_cbc_sha - strong  |       tls_ecdhe_rsa_with_aes_128_cbc_sha256 - strong  |       tls_ecdhe_rsa_with_rc4_128_sha - strong  |       tls_rsa_with_3des_ede_cbc_sha - strong  |       tls_rsa_with_aes_128_cbc_sha - stron  |       tls_rsa_with_aes_128_cbc_sha256 - strong  |       tls_rsa_with_rc4_128_md5 - strong  |       tls_rsa_with_rc4_128_sha - strong  |     compressors:   |       null  |_  least strength: strong  | ssl-google-cert-catalog:   |_  no db entry   nmap done: 1 ip address (1 host up) scanned in 55.74 seconds  - see more at: https://developer.jboss.org/message/931697#sthash.3zjzg9pv.dpuf

apparently, there guidance on topic here: https://access.redhat.com/solutions/661193 (disable weak ssl ciphers in eap 6) alas, have no access that, redhat's policy seem put security of application server , internet in general behind paywall. sigh.

can confirm issue , better yet, offer advice resolution. short of putting behind reverse proxy (my plan b), have working configuration? thanks.

ref: https://developer.jboss.org/message/931697

we using jboss-6.1.0 , resolved issue adding 

sslhonorcipherorder="on"  ciphers="ssl_rsa_with_rc4_128_md5,ssl_rsa_with_rc4_128_sha"

to server.xml , i.e.

<connector protocol="http/1.1" sslenabled="true"             port="8443" address="${jboss.bind.address}"            scheme="https" secure="true" clientauth="false"             keystorefile="${jboss.server.home.dir}/conf/xxxx"            keystorepass="xxxx" sslprotocol = "tls"                 sslhonorcipherorder="on"             ciphers="ssl_rsa_with_rc4_128_md5,ssl_rsa_with_rc4_128_sha" />

i think long term solution upgrade 1 of latest jboss as.


Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

spring - SubProtocolWebSocketHandler - No handlers -

-
i have ugly error during deploying spring app on jboss. 18:11:16,025 error [org.apache.catalina.core.containerbase.[jboss.web].[default-host].[/consumer]] (msc service thread 1-7) exception sending context initialized event listener instance of class org.springframework.web.context.contextloaderlistener: org.springframework.context.applicationcontextexception: failed start bean 'subprotocolwebsockethandler'; nested exception java.lang.illegalargumentexception: no handlers @ org.springframework.context.support.defaultlifecycleprocessor.dostart(defaultlifecycleprocessor.java:176) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor.access$200(defaultlifecycleprocessor.java:51) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor$lifecyclegroup.start(defaultlifecycleprocessor.java:346) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.s...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more