How to disable weak ciphersuites for a SSL secured webservice
by Wolfgang Moser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello there at JBossWS,
I'm developing for a WebServices application that runs on
JBoss 4.0.5.GA with JBossWS 1.0.4.GA
We got managed to setup JBoss as well as the deployed
WebService to only allow SSL connections (with user
authentication).
Unfortunately we don't see a way to disable all the weak
ciphersuites (like DES40, RC4_40 or standard DES) for that
SSL secured webservice, so that the server acts in a way
that it will never accept such weak ciphersuites on the
initial SSL handshake.
I did already check out:
http://jira.jboss.com/jira/browse/JBAS-1983
but was not able to configure the ciphersuites accordingly
(this included JBAS-2785). I wasn't unable to check out,
if these settings would change anything on WebServices,
since JBoss doesn't start due to a null pointer exception
(see attachment). As some debugging reveals, this is
because the member "securityDomain" within:
org.jboss.security.ssl.ServerSocketFactory
seems to not get initialized.
Any hints on how to become able to select or to configure
the ciphersuites being accepted from our SSL enabled
WebServices application would be appreciated much.
- --
With kind regards,
Wolfgang Moser
_______________________________________________________________
SRC Security Research & Consulting GmbH
Graurheindorfer Str. 149 a Tel: +49(0)228-2806-149
53117 Bonn Fax: +49(0)228-2806-199
http://www.src-gmbh.de Mob: +49(0)
Handelsregister Bonn: HRB 9414 Geschäftsführer: Gerd Cimiotti
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iQEVAwUBRgpPaV351eL5alt0AQh6+wf+Na9a4R1m7Q0InWpJMi860Zc9VwyNw9hS
klWpt9DPevLhdCopke2AFN2lbyvnbkx2FApBSsRItoowCmow1A6R0CGsY6cZsWo7
jersZe4Ee7U60V6CYreX1C7V6A1/vvPTPq9P0CU2Te4aamd80kOZhCjJ2nZ3vOJQ
aVqx3TK2PObTsIYRo01E4dVtfhYNkNznZGKjEdubXai1b4c7Sn3/Gwdid/SRN5jl
MpWMLoYhS763ZgXv71S3XFIDdNDTWh36kPpmqokb1baUl7ceUjEdprganBzhQeLE
4qF4dV/R2MCXdBAdcRjGR9/E7XRnP4riPH3OBa6o8wzRRVIF6jOMwA==
=RJpB
-----END PGP SIGNATURE-----
10:47:44,078 WARN [ServiceController] Problem starting service jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory
java.lang.NullPointerException
at org.jboss.security.ssl.Context.forDomain(Context.java:66)
at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(DomainServerSocketFactory.java:304)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:225)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:203)
at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:120)
at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:622)
at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:231)
at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:178)
at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382)
at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:180)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:293)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:256)
at org.jboss.invocation.jrmp.server.JRMPInvoker.exportCI(JRMPInvoker.java:451)
at org.jboss.invocation.jrmp.server.JRMPInvoker.startService(JRMPInvoker.java:373)
at org.jboss.invocation.jrmp.server.JRMPInvoker$1.startService(JRMPInvoker.java:150)
at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
at org.jboss.invocation.jrmp.server.JRMPInvoker.jbossInternalLifecycle(JRMPInvoker.java:645)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978)
at $Proxy0.start(Unknown Source)
at org.jboss.system.ServiceController.start(ServiceController.java:417)
at org.jboss.system.ServiceController.start(ServiceController.java:435)
at org.jboss.system.ServiceController.start(ServiceController.java:435)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302)
at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:766)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
at $Proxy5.deploy(Unknown Source)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:482)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:490)
at java.lang.Thread.run(Thread.java:595)
17 years, 8 months
[JBossWS] - How to disable weak ciphersuites for a SSL secured webservice
by Wolfgang Moser
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello there at JBossWS,
(please excuse me for sending this message twice, it seems
I didn't format my subject line correctly, so the message
wasn't put through onto the forum)
I'm developing for a WebServices application that runs on
JBoss 4.0.5.GA with JBossWS 1.0.4.GA
We got managed to setup JBoss as well as the deployed
WebService to only allow SSL connections (with user
authentication).
Unfortunately we don't see a way to disable all the weak
ciphersuites (like DES40, RC4_40 or standard DES) for that
SSL secured webservice, so that the server acts in a way
that it will never accept such weak ciphersuites on the
initial SSL handshake.
I did already check out:
http://jira.jboss.com/jira/browse/JBAS-1983
but was not able to configure the ciphersuites accordingly
(this included JBAS-2785). I wasn't unable to check out,
if these settings would change anything on WebServices,
since JBoss doesn't start due to a null pointer exception
(see attachment). As some debugging reveals, this is
because the member "securityDomain" within:
org.jboss.security.ssl.ServerSocketFactory
seems to not get initialized.
Any hints on how to become able to select or to configure
the ciphersuites being accepted from our SSL enabled
WebServices application would be appreciated much.
- --
With kind regards,
Wolfgang Moser
_______________________________________________________________
SRC Security Research & Consulting GmbH
Graurheindorfer Str. 149 a Tel: +49(0)228-2806-149
53117 Bonn Fax: +49(0)228-2806-199
http://www.src-gmbh.de Mob: +49(0)
Handelsregister Bonn: HRB 9414 Geschäftsführer: Gerd Cimiotti
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
iQEVAwUBRg04Al351eL5alt0AQhswwgAnDKiNJ9o0izElzH08D7MU1buhfaxJDOC
tTh6qK8qsJ/bMcPSgpwCQV0ulpUukWiQacdhrIZtDu+xvgy8bZ1YCWFjw8lRrgVv
aJpwZQ6g+On+B5ZOWnkdRcvt0LWvOyJxaADLRso+WQm9HJ3U+TidtyVsFGU+rgct
0C0t0Df8vLcyoj7IFKC0nJWaUsnVVqXEoRxvTlS45WDYjsYI6n0GxYG5hiY/PSZV
djoAVXhzeuP0hBwzEsyEKfBd6a2Kp/nzNNDuF2/V8awKlSmaiDeDBdNBf99ktyyv
6lBLwQuj5fjoXVQDQXXieGHTSvInB/ZVnMXLYbKbGut0Y1YW2SEPcQ==
=I9Pc
-----END PGP SIGNATURE-----
10:47:44,078 WARN [ServiceController] Problem starting service jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory
java.lang.NullPointerException
at org.jboss.security.ssl.Context.forDomain(Context.java:66)
at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(DomainServerSocketFactory.java:304)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:225)
at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:203)
at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:120)
at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:622)
at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:231)
at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:178)
at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382)
at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116)
at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:180)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:293)
at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:256)
at org.jboss.invocation.jrmp.server.JRMPInvoker.exportCI(JRMPInvoker.java:451)
at org.jboss.invocation.jrmp.server.JRMPInvoker.startService(JRMPInvoker.java:373)
at org.jboss.invocation.jrmp.server.JRMPInvoker$1.startService(JRMPInvoker.java:150)
at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
at org.jboss.invocation.jrmp.server.JRMPInvoker.jbossInternalLifecycle(JRMPInvoker.java:645)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978)
at $Proxy0.start(Unknown Source)
at org.jboss.system.ServiceController.start(ServiceController.java:417)
at org.jboss.system.ServiceController.start(ServiceController.java:435)
at org.jboss.system.ServiceController.start(ServiceController.java:435)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
at $Proxy4.start(Unknown Source)
at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302)
at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782)
at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:766)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
at $Proxy5.deploy(Unknown Source)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:482)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:490)
at java.lang.Thread.run(Thread.java:595)
17 years, 9 months