[jbossws-users] How to disable weak ciphersuites for a SSL secured webservice

Wolfgang Moser wolfgang.moser at src-gmbh.de
Wed Mar 28 07:20:09 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello there at JBossWS,

I'm developing for a WebServices application that runs on
  JBoss 4.0.5.GA  with  JBossWS 1.0.4.GA

We got managed to setup JBoss as well as the deployed
WebService to only allow SSL connections (with user
authentication).


Unfortunately we don't see a way to disable all the weak
ciphersuites (like DES40, RC4_40 or standard DES) for that
SSL secured webservice, so that the server acts in a way
that it will never accept such weak ciphersuites on the
initial SSL handshake.


I did already check out:
	http://jira.jboss.com/jira/browse/JBAS-1983
but was not able to configure the ciphersuites accordingly
(this included JBAS-2785). I wasn't unable to check out,
if these settings would change anything on WebServices,
since JBoss doesn't start due to a null pointer exception
(see attachment). As some debugging reveals, this is
because the member "securityDomain" within:
    org.jboss.security.ssl.ServerSocketFactory
seems to not get initialized.


Any hints on how to become able to select or to configure
the ciphersuites being accepted from our SSL enabled
WebServices application would be appreciated much.

- --
With kind regards,

	Wolfgang Moser

_______________________________________________________________

SRC Security Research & Consulting GmbH
Graurheindorfer Str. 149 a      Tel: +49(0)228-2806-149
53117 Bonn                      Fax: +49(0)228-2806-199
http://www.src-gmbh.de          Mob: +49(0)
Handelsregister Bonn: HRB 9414	Geschäftsführer: Gerd Cimiotti

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iQEVAwUBRgpPaV351eL5alt0AQh6+wf+Na9a4R1m7Q0InWpJMi860Zc9VwyNw9hS
klWpt9DPevLhdCopke2AFN2lbyvnbkx2FApBSsRItoowCmow1A6R0CGsY6cZsWo7
jersZe4Ee7U60V6CYreX1C7V6A1/vvPTPq9P0CU2Te4aamd80kOZhCjJ2nZ3vOJQ
aVqx3TK2PObTsIYRo01E4dVtfhYNkNznZGKjEdubXai1b4c7Sn3/Gwdid/SRN5jl
MpWMLoYhS763ZgXv71S3XFIDdNDTWh36kPpmqokb1baUl7ceUjEdprganBzhQeLE
4qF4dV/R2MCXdBAdcRjGR9/E7XRnP4riPH3OBa6o8wzRRVIF6jOMwA==
=RJpB
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: jbossserversocketexception.txt
Url: http://lists.jboss.org/pipermail/jbossws-users/attachments/20070328/25dae553/attachment.txt

More information about the jbossws-users mailing list