How to restrict JBoss EAP to only allow TLSv1.2

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x
    • 7.x
  • Red Hat Single Sign-On (RH SSO)
    • 7.X
  • OpenJDK
    • 8.x
    • 11.x

Issue

  • How to restrict Java Application to only allow TLSv1.2
  • How to disable a cipher in OpenJDK/ Java

Resolution

OpenJDK 8.x and 11.x included the jdk.tls.client.protocols . Prior versions to OpenJDK 7 u131 it is not possible to enable TLSv1.2 by default globally and instead, it must be done for each connection through whichever framework specific method is available.

Server side

Edit the property jdk.tls.disabledAlgorithms in the $JAVA_HOME/jre/lib/security/java.security (For Java 11 in $JAVA_HOME/conf/security/java.security) adding TLSv1, TLSv1.1 to disable them such as:

jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 768, RC4, DES, TLSv1, TLSv1.1

EAP 7.x also provides enabled-protocols and enabled-cipher-suites in undertow for restricting protocol version and cipher suites [3] 

/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enabled-protocols,value="TLSv1.2")

/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enabled-cipher-suites,value="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA")

Client side

For client application running on JBoss EAP (= outbound TLS connections), set the jdk.tls.client.protocols system property when starting JBoss, either by passing on the command line or via the JBoss .conf file. Note: this client property has no effect if put in the $JAVA_HOME/jre/lib/security/java.security , it must be specified as shown below:

-Djdk.tls.client.protocols=TLSv1.2

You can enable this system property in the $JBOSS_HOME/bin/standalone.conf for EAP 6.x/7.x .
For example:

JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.2"

[1] <Content from www.java.com is not included.https://www.java.com/en/configure_crypto.html>
[2] <Content from bugs.openjdk.java.net is not included.https://bugs.openjdk.java.net/browse/JDK-8076369>
[3] <https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html/how_to_configure_server_security/securing_the_server_and_its_interfaces#about-cipher-suites>

Diagnostic Steps

Use OpenSSL s_client to test the connection:

openssl s_client -connect localhost:3528
openssl s_client -connect localhost:3528 -tls1
openssl s_client -connect localhost:3528 -tls1_1

[1] Content from www.openssl.org is not included.https://www.openssl.org/docs/manmaster/apps/s_client.html

SBR
Product(s)
Components
Category

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.