JBoss EAP 6.0.1 cipher-suite configuration not working as expected (at all?)
turchinc May 28, 2015 2:28 PMBecause of the attention that logjam and Logjam: How Diffie-Hellman Fails in Practice has received in recent days, I decided to harden the SSL configuration on my JBoss EAP 6.0.1 system as described here:13.2.5. SSL Connector Reference
cross referenced to here: http://www.coderanch.com/t/613062/JBoss/configuring-SSL-Https-Jboss
The relevant portion of my standalone.xml is included in obfuscated form below:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl key-alias="**********" password="**********" certificate-key-file="/var/**********/**********.jks" protocol="TLSv1.2" cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AE_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA" /> </connector>
The protocol restriction is working but the cipher-suite attribute has, as far as I can tell, no effect. I have reduced the list down to just two suites but the list returned by JBoss on port 8443 is always the same. I have tested the system against Qualys SSL Labs and the list of cipher suites returned includes numerous weak of ciphers not included in my list.
Cipher Suites (sorted by strength; the server has no preference) | ||
TLS_RSA_WITH_RC4_128_MD5 (0x4 ) WEAK | 128 | |
TLS_RSA_WITH_RC4_128_SHA (0x5 ) WEAK | 128 | |
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f ) | 128 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33 ) DH 768 bits (p: 96, g: 96, Ys: 96) FS INSECURE | 128 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011 ) WEAK | 128 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013 ) ECDH 571 bits (eq. 15360 bits RSA) FS | 128 | |
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa ) | 112 | |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16 ) DH 768 bits (p: 96, g: 96, Ys: 96) FS INSECURE | 112 | |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012 ) ECDH 571 bits (eq. 15360 bits RSA) FS | 112 |
The TestSSLServer.jar from this website returns the problematic cipher suites in their list as well:
java -jar TestSSLServer.jar **********.xx 443 Supported versions: TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.2 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_3DES_EDE_CBC_SHA DHE_RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ---------------------- Server certificate(s): 9b6e185c8598aec67949e7b13183fc87637fe86b: CN=**********.xx, OU=PositiveSSL, OU=Domain Control Validated ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: protected CRIME status: protected
How can I tell JBoss to stop using these insecure cipher suites?