Birthday attack against 64-bit block ciphers (SWEET32) impact on Middleware Suite (CVE-2016-2183)

Updated 18 Oct 2019

Overview

A protocol flaw was found in the DES/3DES cipher, used as a part of the SSL/TLS protocol. A man-in-the-middle attacker could use this flaw to recover some plain text data by capturing large amounts of encrypted traffic between the SSL/TLS server and the client if the communication uses a DES/3DES based cipher suite. The Sweet32 Attack is documented as requiring at least 32GB of data per session. So short duration sessions will not be affected. Applications that require long persistent sessions should be assessed for session recycling and timeouts. Post idle session timeout can be configured for Tomcat and EAP. Configuration information is available from the respective installation guides.More information on this flaw can be found here. Given that multiple component of Red Hat's middleware product suite support SSL/TLS this issue could potentially affect these products as well. The following is the summary of the impact, along with Resolution/Mitigation for each middleware product.

Environment

JBoss Fuse and JBoss A-MQ
JBoss Enterprise Application Platform 6.4.9 (EAP)
JBoss Enterprise Web Server 3.0.3
Tomcat on Red Hat Enterprise Linux 6 and 7

Issue

Is JBoss Fuse affected by the SWEET32: Birthday attacks against TLS ciphers with 64bit block size?
Is JBoss EAP, Tomcat, JWS affected by the SWEET32: Birthday attacks against TLS ciphers with 64bit block size?

Resolution

Content from docs.oracle.com is not included.JSSE is the Java security implementation of the The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols in Java and all fuse components that support SSL use this implementation to provide encryption, server authentication, message integrity, and optional client authentication. It is possible to disable vulnerable algorithms completely in Java 8 using a global configuration options. The JSSE includes the ability to disable specific encryption algorithms via the use of the JSSE java.security configuration file. Including the following line in this file will disable 3DES. This file can be found in your Java Runtime (JRE) folder on your server.

Java 7 and Java 8 use 112 to 168 bits for Triple DES and so shouldn't be affected by this 64 bit DES issue. Some site administrators may still prefer to
disable Triple DES in Java applications and examples are included below to demonstrate how this can be achieved.

The Default Key Size in the JSSE for Triple DES is 168.
Key size must be equal to 112 or 168. A key size of 112 will generate a Triple DES key with 2 intermediate keys, and a key size of 168 will generate a Triple DES key with 3 intermediate keys.
Content from docs.oracle.com is not included.JSSE DESede or Triple DESKey Size Restrictions

The JSSE by default has a preferred encryption cipher of AES256 or AES128 as long as AES is not disabled. Triple DES is not the preferred encryption algorithm by default.

NOTE: It is not sufficient to rely on the server preferred cipher as a client can request Triple DES encryption. An application server can be configured to reject Triple DES requests by specification of disabledAlgorithms or specific Cipher Suites lists in a connector configuration.

In later versions of Java 7 (e.g. Oracle post 1.7.0_75) and Java 8, specific encryption algorithms can be disabled globally. The JSSE includes the ability to disable specific encryption algorithms via the use of the JSSE java.security configuration file. Including the following line in this file will disable 3DES. This file can be found in your Java Runtime (jre) folder on your server.

jdk.tls.disabledAlgorithms=SSLv3,DESede,DES

More information on this setting can be found in the Java JSSE documentation. Content from docs.oracle.com is not included.Content from docs.oracle.com is not included.http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

Java versions that do not support disabling specific algorithms via the jdk.tls.disabledAlgorithms property (Java 7 and below) will require a connector specific configuration. In this case the set of acceptable Cipher Suites will need to be identified and included in the connector configuration.

The supported list of Cipher Suite Names is available from the Content from docs.oracle.com is not included.JSSE Supported Cipher Suites documentation.

Specific installations may have disabled certain ciphers by default in the JRE java.security configuration file consequently the available list can be a subset of the supported list. The available list on a specific server can be obtained using the Show Ciphers utility showciphers.jar.

java -jar showciphers.jar

It can list several ciphers as below depending on what JDK version you are running:

DefaultCipherSuites:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

SupportedCipherSuites:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
TLS_RSA_WITH_NULL_SHA256
TLS_ECDHE_ECDSA_WITH_NULL_SHA
TLS_ECDHE_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_SHA
TLS_ECDH_ECDSA_WITH_NULL_SHA
TLS_ECDH_RSA_WITH_NULL_SHA
TLS_ECDH_anon_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5

AES max key length: 128

Few 3DES ciphers as we could see from the above output are SSL_RSA_WITH_3DES_EDE_CBC_SHA ,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA you can exclude them from the connector settings.An example of connector settings is shown below.You need to make choice of the required ciphers.

JBoss Fuse/JBoss A-MQ 6.2, 6.2.1

JBoss Fuse must be running in one of the following JVM versions.

Java Virtual Machine	Version
OpenJDK [2]	1.7 1.8
Oracle JDK	1.7 1.8
IBM JDK	1.7 1.8
HP JVM	1.7

Disabling Algorithms Globally

Oracle, OpenJDK Java 8 and Oracle Java 7 post 1.7.0_75 provide jdk.tls.disabledAlgorithms property to disable specific algorithm with the following syntax:

jdk.tls.disabledAlgorithms=SSLv3,DESede,DES

NOTE: More information on this setting can be found in the Java Content from docs.oracle.com is not included.JSSE documentation.

IBM JDK also allows customization of the JSSE properties using bellow property for both versions 1.7 and 1.8 :

jdk.tls.disabledAlgorithms=SSLv3,DESede,DES

HP JDK version 1.7 also provides capability for disabling specific protocols via the above property in the following file:

<JRE_HOME>/lib/security/java.security

JBoss Fuse Specific Components

JBoss Fuse and JBoss A-MQ come with multiple components that support SSL, specific cipher suites can be configured for these components.

Embedded Pax-Web Jetty server

A Pax Web Jetty based HTTP server is deployed out of the box in JBoss Fuse and JBoss A-MQ, however it is not SSL enabled. Configuring specific algorithm can be done in Pax Web by adding the following Jetty configuration in `$JBOSS_FUSE/etc/jetty.xml` This will only affect the Jetty server used by Pax Web. All of the OSGi HTTP services from Pax Web use Jetty and this configuration. As well as that, both CXF and camel-jetty use this configuration by default.

<Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
           <Arg>
              <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                  <!-- in Fuse 6.0, please replace above FQN with "org.eclipse.jetty.util.ssl.SslContextFactory" -->    
			<Set name=”excludeCipherSuites”>
				<Array type="java.lang.String">
					<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
					<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
					...
				<Array>
			</Set>
              </New>
           </Arg>
           <Set name="Port">8183</Set>
           <Set name="keystore">/home/jshepher/Documents/cases/01264474/server.keystore</Set>
           <Set name="password">mykeystorepass</Set>
           <Set name="keyPassword">mykeystorepass</Set>
           <Set name="certAlias">jboss</Set>
       </New>
    </Arg>
</Call>

Ensure that org.osgi.service.http.secure.enabled=true set in etc/org.ops4j.pax.web.cfg.

NOTE: The above configuration will override the configuration in etc/org.ops4j.pax.web.cfg which means the existing keystore file reference, and password must be moved from etc/org.ops4j.pax.web.cfg to $JBOSS_FUSE/etc/jetty.xml

Camel

Camel provides a [utility](http://camel.apache.org/camel-configuration-utilities.html) that allows configuring different aspects of the JSSE API to avoid using custom transport layer security (TLS) on camel components. The central builder in the JSSE configuration utility is the SSLContextParameters. This class serves as the entry point for most configuration in the JSSE utility. This class also provides algorithm specific configuration using the `cipherSuites` parameters as shown bellow:

<camel:sslContextParameters id="sslContextParameters">
    <camel:cipherSuites>
      <camel:cipherSuite>SSL_RSA_WITH_RC4_128_SHA</camel:cipherSuite>
      <camel:cipherSuite>TLS_RSA_WITH_AES_128_CBC_SHA</camel:cipherSuite>
      ...
    </camel:cipherSuites>
  </camel:sslContextParameters>

LDAP

Karaf’s ldap module is responsible for providing the capability to configure SSL algorithm to the underlying SSL provider e.g. JSEE, the configuration is sown bellow:

<jaas:config name="karaf" rank="1">
    <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
    connection.username=uid=admin,ou=system
    connection.password=secret
    connection.protocol=
    connection.url = ldaps://localhost:10636
    user.base.dn = ou=users,ou=system
    user.filter = (uid=%u)
    user.search.subtree = true
    role.base.dn = ou=users,ou=system
    role.filter = (uid=%u)
    role.name.attribute = ou
    role.search.subtree = true
    authentication = simple
    *ssl.protocol=TLSv1*
    ssl.truststore=truststore
    *ssl.algorithm=PKIX*
    </jaas:module>
</jaas:config>

Management Console JMX

The This content is not included.ConnectionServerFactory class provides the capability to configure SSL algorithm configuration for the underlying SSL/TLS provider e.g. JSSE, this configuration can be fed to this class via $JBOSS_FUSE/etc/org.apache.karaf.management.cfg configuration file as shown bellow:

secured = true
secureProtocol = TLSv1
keyAlias = jbossalias
keyStore = sample_keystore
trustStore = sample_keystore
algorithm =<algorithm>

CXF

CXF endpoints can also be configured to use specific algorithm for encryption, these endpoints running inside karaf container will be using the Pax Web implementation of the Jetty container, the configuration explained in the section Embedded Pax-Web Jetty server can also be applied to CXF endpoints as well.

ActiveMQ Transport Connector

ActiveMQ broker configuration provides a transport.enabledCipherSuites parameter to enable specific algorithm via transportConnector element.

<transportConnector name="ssl" uri="ssl://localhost:61617?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.enabledCipherSuites=SSL_RSA_WITH_RC4_128_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA></transportConnector>

Tomcat (Including the Application Servers version in JWS)

Specific ciphers for Tomcat can be configured in the connectors definition as shown bellow:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                        clientAuth="false" sslProtocol="TLS"
                        keystoreFile="/mykeystorefolder/tomcat.keystore"
                        ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
                        keystorePass="..." keyAlias="..." />

Red Hat JBoss Enterprise Application Platform (JBoss EAP)

Specific encryption algorithms can be disabled globally on the supported JVMs for JBoss EAP.

Oracle, OpenJDK Java 8 and Oracle Java 7 post 1.7.0_75
Vulnerable algorithms e.g. Triple DES can also be disabled via below property of the above JVMs.

jdk.tls.disabledAlgorithms=SSLv3,DESede,DES

NOTE: Java versions that do not support disabling specific algorithms via will require a connector specific configuration in Tomcat or EAP. In this case all acceptable Cipher Suites will need to be identified and included in the connector configuration.

JBoss EAP 6

Example:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
    <ssl name="https" ... cipher-suite="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"/>
</connector>

NOTE: Configuring JBoss EAP Cipher Suites are described in this article and the EAP This content is not included.How To Configure Server Security documentation, section 2.2.7.7.

JBoss EAP 7

Example:

<https-listener name="https-2" socket-binding="https-2" security-realm="UndertowRealm" enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA"" enabled-protocols="TLSv1.2"/>

Configuring JBoss EAP Cipher Suites for JBoss EAP 7 is described in HTTPS Listerener Reference

Red Hat JBoss Core Services / Apache HTTP Server

See the documentation CHAPTER 5. ENABLING HTTP/2 FOR THE JBOSS CORE SERVICES HTTP SERVER

In ssl.conf, enable only certain protocols, and disable DES and 3DES. The example given is:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Cipher Suite Names

Information on Cipher Suite Names can be found in the following locations:

Content from www.fehcom.de is not included.Naming
Cipher Suite names can Content from testssl.sh is not included.vary between JSSE and OpenSSL.
Content from github.com is not included. TLS Cipher in Tomcat

How to test your server

[sslyze](https://github.com/nabla-c0d3/sslyze) is a simple utility that can be used to assess the tls status of a server. There is no requirement to install this utility on your server, it is a client application that can be installed only any client on your network. Sslyze has the advantage that it is security provider agnostic, it will work with OpenSSL and JSSE server configurations.

Example:

sslyze --tlsv1_2 rhel7:8443

SCAN RESULTS FOR RHEL7:8443 - 172.16.13.147:8443

------------------------------------------------

* TLSV1_2 Cipher Suites:

Preferred:

DHE-RSA-AES256-GCM-SHA384 DH-1024 bits 256 bits

Accepted:

DHE-RSA-AES256-SHA256 DH-1024 bits 256 bits

DHE-RSA-AES256-SHA DH-1024 bits 256 bits

DHE-RSA-AES256-GCM-SHA384 DH-1024 bits 256 bits

AES256-SHA256 - 256 bits

AES256-SHA - 256 bits

AES256-GCM-SHA384 - 256 bits

DHE-RSA-AES128-SHA256 DH-1024 bits 128 bits

DHE-RSA-AES128-SHA DH-1024 bits 128 bits

DHE-RSA-AES128-GCM-SHA256 DH-1024 bits 128 bits

AES128-SHA256 - 128 bits

AES128-SHA - 128 bits

AES128-GCM-SHA256 - 128 bits

EDH-RSA-DES-CBC3-SHA DH-1024 bits 112 bits

DES-CBC3-SHA - 112 bits

In this example we can see that AWS256 is the preferred cipher suite. This indicates the from the server side, DES-CBC3 is not prioritized over AES. Alternatively the attached jar file (showciphers.jar) can be used to assess the JSSE status of a TLS server.

References

SBR

JBoss Security

Product(s)

Category

Secure

Article Type

General