How can I disable SSLv3 for EJB3 + SSL connections in JBoss EAP 5?

Solution Unverified - Updated 9 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x

Issue

How can I disable SSLv3 for EJB3 + SSL connections in JBoss EAP 5?
I need to disable SSLv3 due to the POODLE SSLv3 vulnerability (CVE-2014-3566).

Resolution

This article assumes SSL was enabled for EJB3 as described in the This content is not included.JBoss EAP 5 Security Guide.

There are two different ways to set the protocols depending on how JBoss is configured:

The protocols used for the secure EJB3 connection can be modified by using the enabledProtocols configuration option. The enabledProtocols attribute can be set on the sslsocket url:
```
  <property name="invokerLocator">sslsocket://${jboss.bind.address}:3843?enabledProtocols=TLSv1,TLSv1.1,TLSv1.2</property>        
```

Or it can be set on the invokerLocatorParameters property if that approach is used:

<property name="invokerLocatorParameters">
   ...
   ...
   ...
    <entry>
      <key>enabledProtocols</key>
      <value>TLSv1,TLSv1.1,TLSv1.2</value>
    </entry>

The versions of TLS available will depend on the JVM version. TLSv1.1 and TLSv1.2 are not available on Java 6.

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.