1 2 Previous Next 16 Replies Latest reply on Jul 23, 2015 8:21 AM by leo.chen

    What is cipher-suite used for in standalone.xml

    leo.chen

      I am using JBoss version 6.4. In standalone.xml, the ssl is configured with cipher-suite as below (by default, cipher-suite is not configured.)

       

      <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
          <ssl password="password" certificate-key-file="${jboss.server.config.dir}/test.keystore" cipher-suite=
      "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
          />
      </connector>
      
      

       

      My question is

      1. What cipher-suite is used for?

      2. What kinds of code can be put here? Because we have clients having problems connecting to our server due to the browser declaring our server using a weak SSL cipher. Probably we need to update the list of SSL ciphers to the latest “safe” list. Any idea what that might be?


      Thanks for helping.

        • 1. Re: What is cipher-suite used for in standalone.xml
          ehugonnet

          1. A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.

          2. The documentation of EAP might help you there: 4.6. Implement SSL Encryption for the JBoss EAP 6 Web Server

          • 2. Re: What is cipher-suite used for in standalone.xml
            leo.chen

            Thanks, ehugonnet, I have read the link but there is not a list for the cipher suites.

             

            Can you advise what kinds of values can be set to cipher-suite?

             

            BTW, what does "weak ciphers" mean? does that mean the default ciphers when the cipher-suite is not configured to ssl web connector in standalone.xml?

            • 3. Re: What is cipher-suite used for in standalone.xml
              ehugonnet

              The values are defined per your JVM.

              weak means that it is considered  not sure enough.

              Weak ciphers are removed from the default cipher suite.

              For o list on Oracle JDK : http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

              • 4. Re: What is cipher-suite used for in standalone.xml
                leo.chen

                Thanks, can you explain a little more about the question I asked in the first time?

                User is having problems connecting to our server due to the browser declaring our server using a weak SSL cipher.

                 

                Can you advise what the problem could be and how to resolve? Currently, our server (jboss) has configured the ciphers as below:


                ciphere-suite="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

                • 5. Re: What is cipher-suite used for in standalone.xml
                  sikorson

                  Hello, Did You managed to solve the problem?

                  • 6. Re: What is cipher-suite used for in standalone.xml
                    ehugonnet

                    Take a look at NIST Manuscript Publication Search for NIST recommendations on cipher suites.

                    • 7. Re: What is cipher-suite used for in standalone.xml
                      leo.chen

                      Hi ehugonnet,

                       

                      I have read the link you provided. But I am not sure which ones could be used to fill at cipher-suite attribute in jboss' standalone.xml (ssl element). Can you please advise?

                      • 8. Re: What is cipher-suite used for in standalone.xml
                        sikorson

                        Here is my working configuration

                         

                        Just be sure to contain only ciphers listed by running (List ciphers used by JVM - Stash Knowledge Base - Atlassian Documentation)

                        javac Ciphers.java

                        java Ciphers

                         

                        To be able to use the 256 bit AES Ciphers, it is necessary to install the JCE Unlimited Strength Jurisdiction Policy Files, which can be found here.

                        Java SE - Downloads | Oracle Technology Network | Oracle

                         

                         

                              <Connector port="8443" address="${jboss.bind.address}"

                                   protocol="HTTP/1.1" maxHttpHeaderSize="8192" maxKeepAliveRequests="100"

                                   maxThreads="250" minSpareThreads="25" maxSpareThreads="100" strategy="ms"

                                   acceptCount="100" connectionTimeout="30000" disableUploadTimeout="true"

                                   emptySessionPath="true" enableLookups="false"

                                   compression="on" noCompressionUserAgents="gozilla, traviata"

                                   SSLEnabled="true" scheme="https" secure="true" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

                                   keystoreFile="${jboss.server.home.dir}/conf/XXXXXX.jks"

                                   keystorePass="XXXXXX" clientAuth="false" server="XXXXXX"

                                   ciphers="SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,

                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,

                        TLS_DHE_RSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,

                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,

                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,

                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,

                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,

                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,

                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,

                        TLS_EMPTY_RENEGOTIATION_INFO_SCSV,

                        TLS_RSA_WITH_AES_128_CBC_SHA,

                        TLS_RSA_WITH_AES_256_CBC_SHA,

                        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,

                        TLS_ECDHE_RSA_WITH_RC4_128_SHA,

                        TLS_ECDH_ECDSA_WITH_RC4_128_SHA,

                        TLS_ECDH_RSA_WITH_RC4_128_SHA"/>

                        • 9. Re: What is cipher-suite used for in standalone.xml
                          ehugonnet

                          According to the document from NIST :

                           

                          In order to maximize interoperability, TLS server implementations shall support the

                          following cipher suites:

                          • TLS_RSA_WITH_3DES_EDE_CBC_SHA 13

                          • TLS_RSA_WITH_AES_128_CBC_SHA 14

                          In addition, TLS server implementations should support the following cipher suites:

                          • TLS_RSA_WITH_AES_256_CBC_SHA

                          • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 15

                          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

                          • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

                          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

                          When ephemeral keys are used to establish the master secret, each ephemeral key-pair

                          (i.e., the server ephemeral key-pair and the client ephemeral key-pair) shall have at least

                          112 bits of security.

                          TLS version 1.2 adds support for authenticated encryption modes, and support for the

                          SHA-256 and SHA-384 hash algorithms, which are not supported in prior versions of

                          TLS. These cipher suites are described in [RFC5288] and [RFC5289]. In addition to

                          supporting the cipher suites listed above, TLS 1.2 servers shall be configured to support

                          the following cipher suite:

                          • TLS_RSA_WITH_AES_128_GCM_SHA256

                          TLS 1.2 servers should be configured to support the following cipher suites:

                          • TLS_RSA_WITH_AES_256_GCM_SHA384

                          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

                          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

                          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

                          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

                          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

                          NIST may define additional mandatory or recommended cipher suites at a later date.

                          • 10. Re: What is cipher-suite used for in standalone.xml
                            leo.chen

                            Hi Slawomir,

                            I just tried this and used the output list in the standalone.xml but not working (cannot access). I notice your jboss version should be old (4 or 5?). And I am using jdk 1.8.0_45.

                            • 11. Re: What is cipher-suite used for in standalone.xml
                              leo.chen

                              Hi ehugonnet,

                               

                              Thanks for reply. I have tried them but still not working.

                              • 12. Re: What is cipher-suite used for in standalone.xml
                                sikorson

                                Oh, sorry, it is jboss 6

                                But i suppose, when you will build your ciphers list according to output of:

                                javac Ciphers.java

                                java Ciphers

                                 

                                it should work

                                • 13. Re: What is cipher-suite used for in standalone.xml
                                  leo.chen

                                  Yes, I used the output of java Ciphers, but I got ssl_error_no_cypher_overlap error when using firefox. Also using IE cannot access.

                                   

                                  One note is I see there are * before some of the ciphers from the output. All of them need to be added to the configuration?

                                  • 14. Re: What is cipher-suite used for in standalone.xml
                                    ehugonnet

                                    Maybe you should use sslscan to check your configuration.

                                    The list is exhaustive, meaning you can't use regexp or whatever, you have to specify all cipher individually.

                                    1 2 Previous Next