-
1. Re: What is cipher-suite used for in standalone.xml
ehugonnet Jun 16, 2015 3:44 AM (in response to leo.chen)1. A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
2. The documentation of EAP might help you there: 4.6. Implement SSL Encryption for the JBoss EAP 6 Web Server
-
2. Re: What is cipher-suite used for in standalone.xml
leo.chen Jun 16, 2015 4:32 AM (in response to ehugonnet)Thanks, ehugonnet, I have read the link but there is not a list for the cipher suites.
Can you advise what kinds of values can be set to cipher-suite?
BTW, what does "weak ciphers" mean? does that mean the default ciphers when the cipher-suite is not configured to ssl web connector in standalone.xml?
-
3. Re: What is cipher-suite used for in standalone.xml
ehugonnet Jun 16, 2015 4:45 AM (in response to leo.chen)The values are defined per your JVM.
weak means that it is considered not sure enough.
Weak ciphers are removed from the default cipher suite.
For o list on Oracle JDK : http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
-
4. Re: What is cipher-suite used for in standalone.xml
leo.chen Jun 16, 2015 4:54 AM (in response to ehugonnet)Thanks, can you explain a little more about the question I asked in the first time?
User is having problems connecting to our server due to the browser declaring our server using a weak SSL cipher.
Can you advise what the problem could be and how to resolve? Currently, our server (jboss) has configured the ciphers as below:
ciphere-suite="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
-
5. Re: What is cipher-suite used for in standalone.xml
sikorson Jul 16, 2015 2:26 AM (in response to leo.chen)Hello, Did You managed to solve the problem?
-
6. Re: What is cipher-suite used for in standalone.xml
ehugonnet Jul 16, 2015 4:01 AM (in response to leo.chen)Take a look at NIST Manuscript Publication Search for NIST recommendations on cipher suites.
-
7. Re: What is cipher-suite used for in standalone.xml
leo.chen Jul 23, 2015 3:14 AM (in response to ehugonnet)Hi ehugonnet,
I have read the link you provided. But I am not sure which ones could be used to fill at cipher-suite attribute in jboss' standalone.xml (ssl element). Can you please advise?
-
8. Re: What is cipher-suite used for in standalone.xml
sikorson Jul 23, 2015 3:47 AM (in response to leo.chen)Here is my working configuration
Just be sure to contain only ciphers listed by running (List ciphers used by JVM - Stash Knowledge Base - Atlassian Documentation)
javac Ciphers.java
java Ciphers
To be able to use the 256 bit AES Ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found here.
Java SE - Downloads | Oracle Technology Network | Oracle
<Connector port="8443" address="${jboss.bind.address}"
protocol="HTTP/1.1" maxHttpHeaderSize="8192" maxKeepAliveRequests="100"
maxThreads="250" minSpareThreads="25" maxSpareThreads="100" strategy="ms"
acceptCount="100" connectionTimeout="30000" disableUploadTimeout="true"
emptySessionPath="true" enableLookups="false"
compression="on" noCompressionUserAgents="gozilla, traviata"
SSLEnabled="true" scheme="https" secure="true" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="${jboss.server.home.dir}/conf/XXXXXX.jks"
keystorePass="XXXXXX" clientAuth="false" server="XXXXXX"
ciphers="SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS_ECDH_RSA_WITH_RC4_128_SHA"/>
-
9. Re: What is cipher-suite used for in standalone.xml
ehugonnet Jul 23, 2015 4:19 AM (in response to leo.chen)According to the document from NIST :
In order to maximize interoperability, TLS server implementations shall support the
following cipher suites:
• TLS_RSA_WITH_3DES_EDE_CBC_SHA 13
• TLS_RSA_WITH_AES_128_CBC_SHA 14
In addition, TLS server implementations should support the following cipher suites:
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 15
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
When ephemeral keys are used to establish the master secret, each ephemeral key-pair
(i.e., the server ephemeral key-pair and the client ephemeral key-pair) shall have at least
112 bits of security.
TLS version 1.2 adds support for authenticated encryption modes, and support for the
SHA-256 and SHA-384 hash algorithms, which are not supported in prior versions of
TLS. These cipher suites are described in [RFC5288] and [RFC5289]. In addition to
supporting the cipher suites listed above, TLS 1.2 servers shall be configured to support
the following cipher suite:
• TLS_RSA_WITH_AES_128_GCM_SHA256
TLS 1.2 servers should be configured to support the following cipher suites:
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
NIST may define additional mandatory or recommended cipher suites at a later date.
-
10. Re: What is cipher-suite used for in standalone.xml
leo.chen Jul 23, 2015 5:05 AM (in response to sikorson)Hi Slawomir,
I just tried this and used the output list in the standalone.xml but not working (cannot access). I notice your jboss version should be old (4 or 5?). And I am using jdk 1.8.0_45.
-
11. Re: What is cipher-suite used for in standalone.xml
leo.chen Jul 23, 2015 5:07 AM (in response to ehugonnet)Hi ehugonnet,
Thanks for reply. I have tried them but still not working.
-
12. Re: What is cipher-suite used for in standalone.xml
sikorson Jul 23, 2015 5:11 AM (in response to leo.chen)Oh, sorry, it is jboss 6
But i suppose, when you will build your ciphers list according to output of:
javac Ciphers.java
java Ciphers
it should work
-
13. Re: What is cipher-suite used for in standalone.xml
leo.chen Jul 23, 2015 5:15 AM (in response to sikorson)Yes, I used the output of java Ciphers, but I got ssl_error_no_cypher_overlap error when using firefox. Also using IE cannot access.
One note is I see there are * before some of the ciphers from the output. All of them need to be added to the configuration?
-
14. Re: What is cipher-suite used for in standalone.xml
ehugonnet Jul 23, 2015 5:22 AM (in response to leo.chen)Maybe you should use sslscan to check your configuration.
The list is exhaustive, meaning you can't use regexp or whatever, you have to specify all cipher individually.