[jboss-user] [JBoss Remoting] - Disable Weak Ciphers for PCI-DSS

Sunil Babu do-not-reply at jboss.com
Wed Apr 14 23:51:00 EDT 2010 

Sunil Babu [http://community.jboss.org/people/sunilbabu] replied to the discussion

"Disable Weak Ciphers for PCI-DSS"

To view the discussion, visit: http://community.jboss.org/message/537571#537571

--------------------------------------------------------------
 I spent lot of time trying to figure this out and hope this help someone. 

-Jboss-4.2.3.GA uses Remoting 2.2.2.SP8 and there is no configuration option or property to disable weak ciphers in this version.
-This feature is added in Remoting 2.4.0.Beta2  https://jira.jboss.org/jira/browse/JBREM-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel https://jira.jboss.org/jira/browse/JBREM-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel.

So My Options are
1. Update the Remoting.jar to to 2.4.x  version but I did not find any document to do this( I was also worried about it's impact on my swing clients and webservice).

2. Hack the Remoting 2.2.2.SP8 code and disable the weak ciphers.

Required files: jboss-remoting.jar, jboss-common.jar, jboss-common.jar, SSLSocketServerInvoker.java



Modify 2.2.2-SP8/src/main/org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.java file and add strong ciphers
   protected ServerSocket createServerSocket(int serverBindPort, int backlog, InetAddress bindAddress) throws IOException
   {
      ServerSocket ss = getServerSocketFactory().createServerSocket(serverBindPort, backlog, bindAddress);
        if (ss instanceof SSLServerSocket) {
                SSLServerSocket sss = (SSLServerSocket) ss;
                String[] enabledCipherSuits = {"SSL_RSA_WITH_RC4_128_MD5","SSL_RSA_WITH_RC4_128_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA"};
                sss.setEnabledCipherSuites(enabledCipherSuits);
        }
 
      return ss;
   }


Compile the file
javac -cp jboss-remoting.jar:jboss-common.jar:log4j.jar SSLSocketServerInvoker.java

Update Jar with new file
jar uf jboss-remoting.jar org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.class

3. Update my server to Jboss-5x and use "enabledCipherSuites" property (I am working on this now ).

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/537571#537571]

Start a new discussion in JBoss Remoting at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2050]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100414/c661671e/attachment.html

More information about the jboss-user mailing list