Disable weak SSL ciphers in JBoss EAP 4.x and 5.x

Solution Verified - Updated 7 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x
- 4.x

Issue

How to disable weak SSL ciphers for security compliance?
How to stronger ciphers to the JDK?
When running a security a SSL Server Supports Weak Encryption Vulnerability message is seen. How do I address this error?

Resolution

We consider strong ciphers those with 128 bits or more, so to restrict usage of strong cipher suites modify

JBoss EAP 4.x:  $PROFILE/deploy/jboss-web.deployer/server.xml
JBoss EAP 5.x:  $PROFILE/deploy/jbossweb.sar/server.xml

and add the "ciphers" attribute to the SSL connector. Here is an example with a couple of ciphers:

<Connector
    port="8443" address="${jboss.bind.address}"
    protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
    emptySessionPath="true" clientAuth="false" sslProtocol="TLS"
    alias="cerverCert"
    keystoreFile="/path/to/keystore.jks"   keystorePass="12345678"
    truststoreFile="/path/to/keystore.jks" truststorePass="12345678"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
/>

Things to note:

The JDK will check the provided list against the default/supported list. As soon as it has one match, it will limit the ciphers to what you specified.
Suppose you have a typo: ciphers="SSL_RSA_WITH_RC4_128_OOPS" , the JDK will not find a match and will use the default cipher list instead.
By default, the JDK limits the key length (currently) to 128 bit. To enable unlimited strength keys, you need to get the Content from www.oracle.com is not included.Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files . Download & unzip, then follow the included readme. Note that local country laws might forbid the use of these.

Diagnostic Steps

Cipher suites are specific to JDK version and vendor, so to check the default cipher suites use the following code.

A more extensive version of the below code which also lists the supported EC curves, can be downloaded as a maven project with a pre-build "showciphers.jar" in the root directory. See the attachment "showcipherdistro.zip"

Execute (uses default SunEC provider)

# java -jar showciphers.jar

or specify a custom provider:

# java -jar showciphers.jar -p provider

    import java.security.NoSuchAlgorithmException;
    import javax.crypto.Cipher;
    import javax.net.ssl.SSLSocketFactory;

    public class ShowCiphers {
        public static void main(String[] args) throws NoSuchAlgorithmException {
            SSLSocketFactory fac = (SSLSocketFactory)SSLSocketFactory.getDefault();

            String[] list = fac.getDefaultCipherSuites();
            System.out.println("\nDefaultCipherSuites:");
            for (String s : list) {
                System.out.println(s);
            }

            list = fac.getSupportedCipherSuites();
            System.out.println("\nSupportedCipherSuites:");
            for (String s : list)  {
                System.out.println(s);
            }
            // as an example show the key lenght supported (or allowed)
            System.out.println("\nAES max key length: " + Cipher.getMaxAllowedKeyLength("AES"));
        }
    }

Run the program with the same JDK used to run JBoss EAP because cipher suites are specific to JDK version and vendor.
Here is an example of the output:

DefaultCipherSuites:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

SupportedCipherSuites:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

AES max key length: 128

SBR

Product(s)

Components

jbossas

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.