Logjam: TLS vulnerabilities (CVE-2015-4000) for JBoss products
Environment
- Red Hat JBoss Enterprise Application Platform (EAP) 5
- Red Hat JBoss Enterprise Application Platform (EAP) 6
- Red Hat JBoss Web Server (JWS) 2
- Red Hat JBoss Web Server (JWS) 3
Issue
How can I mitigate the Logjam vulnerability (CVE-2015-4000) on JBoss products?
Resolution
The CVE-2015-4000 issue affects EAP and JWS (Httpd and Tomcat). You can use the steps below as a workaround if you use SSL in any of the affected environments mentioned above. This procedure is not necessary for a non-SSL environment.
HTTPD (JWS and EAP6)
See Disabling EXPORT ciphers in httpd step.
Disabling EXPORT ciphers in httpd
To disallow the use of EXPORT-grade ciphers by the httpd web server, add the !EXP directive to the SSLCipherSuite line in the httpd/conf.d/ssl.conf configuration file. For example:
SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
After modifying ssl.conf, you need to restart the httpd service.
EAP 6
For JDK
-
Execute the "java -jar showciphers.jar" command (see also Disable weak SSL ciphers in EAP 6).
-
Go to the next step, If there are "EXPORT" ciphers in DefaultCipherSuites. (You do not need to change your EAP configuration, if there is no "EXPORT" ciphers.)
Ex - JDK 1.6.0_45$ java -version java version "1.6.0_45" Java(TM) SE Runtime Environment (build 1.6.0_45-b06) Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode) $ java -jar showciphers.jar DefaultCipherSuites: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA -> SSL_RSA_EXPORT_WITH_RC4_40_MD5 -> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV -
Change the ciphers configuration.
Ex - JDK 1.6.0_45 / standalone.xml<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false"> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="https" ... cipher-suite="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV"/> </connector>
For APR
EAP is shipping an affected OpenSSL version for the Native connector.
-
Execute the "openssl ciphers -v" command.
-
Go to the next step, If there are "EXPORT" ciphers in result of command. (You do not need to change your EAP configuration, if there is no "EXPORT" ciphers.)
Ex - for windows> openssl.exe ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 -> EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export -> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export -> EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export -> EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export -> EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export -> EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export -> EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export -
Change the ciphers configuration.
Ex - for windows / standalone.xml<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="true"> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="https" ... cipher-suite="DHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,AES256-SHA,EDH-RSA-DES-CBC3-SHA,EDH-DSS-DES-CBC3-SHA,DES-CBC3-SHA,DES-CBC3-MD5,DHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,AES128-SHA,RC2-CBC-MD5,RC4-SHA,RC4-MD5,RC4-MD5,EDH-RSA-DES-CBC-SHA,EDH-DSS-DES-CBC-SHA,DES-CBC-SHA,DES-CBC-MD5"/> </connector>
EAP5 / Tomcat
For JDK
-
Execute the "java -jar showciphers.jar" command (See Disable weak SSL ciphers in JBoss EAP 4.x and 5.x.
-
Go to the next step, If there are "EXPORT" ciphers in DefaultCipherSuites. (You do not need to change your EAP configuration, if there is no "EXPORT" ciphers.)
Ex - JDK 1.6.0_45$ java -version java version "1.6.0_45" Java(TM) SE Runtime Environment (build 1.6.0_45-b06) Java HotSpot(TM) 64-Bit Server VM (build 20.45-b01, mixed mode) $ java -jar showciphers.jar DefaultCipherSuites: SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA -> SSL_RSA_EXPORT_WITH_RC4_40_MD5 -> SSL_RSA_EXPORT_WITH_DES40_CBC_SHA -> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA -> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV -
Change the ciphers configuration.
Ex - JDK 1.6.0_45 / server.xml<Connector ... ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV" />
For APR
-
Execute "openssl ciphers -v" command.
-
Go to the next step, If there are "EXPORT" ciphers in result of command. (You do not need to change your EAP configuration, if there is no "EXPORT" ciphers.)
Ex - for windows> openssl.exe ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 -> EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export -> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export -> EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export -> EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export -> EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export -> EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export -> EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export -
Change the ciphers configuration.
Ex - for windows / server.xml<Connector ... ciphers="DHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,AES256-SHA,EDH-RSA-DES-CBC3-SHA,EDH-DSS-DES-CBC3-SHA,DES-CBC3-SHA,DES-CBC3-MD5,DHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,AES128-SHA,RC2-CBC-MD5,RC4-SHA,RC4-MD5,RC4-MD5,EDH-RSA-DES-CBC-SHA,EDH-DSS-DES-CBC-SHA,DES-CBC-SHA,DES-CBC-MD5" />
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.