[jbossws-users] How to disable weak ciphersuites for a SSL secured webservice

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello there at JBossWS, I'm developing for a WebServices application that runs on JBoss 4.0.5.GA with JBossWS 1.0.4.GA We got managed to setup JBoss as well as the deployed WebService to only allow SSL connections (with user authentication). Unfortunately we don't see a way to disable all the weak ciphersuites (like DES40, RC4_40 or standard DES) for that SSL secured webservice, so that the server acts in a way that it will never accept such weak ciphersuites on the initial SSL handshake. I did already check out: http://jira.jboss.com/jira/browse/JBAS-1983 but was not able to configure the ciphersuites accordingly (this included JBAS-2785). I wasn't unable to check out, if these settings would change anything on WebServices, since JBoss doesn't start due to a null pointer exception (see attachment). As some debugging reveals, this is because the member "securityDomain" within: org.jboss.security.ssl.ServerSocketFactory seems to not get initialized. Any hints on how to become able to select or to configure the ciphersuites being accepted from our SSL enabled WebServices application would be appreciated much. - -- With kind regards, Wolfgang Moser _______________________________________________________________ SRC Security Research & Consulting GmbH Graurheindorfer Str. 149 a Tel: +49(0)228-2806-149 53117 Bonn Fax: +49(0)228-2806-199 http://www.src-gmbh.de Mob: +49(0) Handelsregister Bonn: HRB 9414 Geschäftsführer: Gerd Cimiotti 10:47:44,078 WARN [ServiceController] Problem starting service jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory java.lang.NullPointerException at org.jboss.security.ssl.Context.forDomain(Context.java:66) at org.jboss.security.ssl.DomainServerSocketFactory.initSSLContext(DomainServerSocketFactory.java:304) at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:225) at org.jboss.security.ssl.DomainServerSocketFactory.createServerSocket(DomainServerSocketFactory.java:203) at org.jboss.security.ssl.RMISSLServerSocketFactory.createServerSocket(RMISSLServerSocketFactory.java:120) at sun.rmi.transport.tcp.TCPEndpoint.newServerSocket(TCPEndpoint.java:622) at sun.rmi.transport.tcp.TCPTransport.listen(TCPTransport.java:231) at sun.rmi.transport.tcp.TCPTransport.exportObject(TCPTransport.java:178) at sun.rmi.transport.tcp.TCPEndpoint.exportObject(TCPEndpoint.java:382) at sun.rmi.transport.LiveRef.exportObject(LiveRef.java:116) at sun.rmi.server.UnicastServerRef.exportObject(UnicastServerRef.java:180) at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:293) at java.rmi.server.UnicastRemoteObject.exportObject(UnicastRemoteObject.java:256) at org.jboss.invocation.jrmp.server.JRMPInvoker.exportCI(JRMPInvoker.java:451) at org.jboss.invocation.jrmp.server.JRMPInvoker.startService(JRMPInvoker.java:373) at org.jboss.invocation.jrmp.server.JRMPInvoker$1.startService(JRMPInvoker.java:150) at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289) at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245) at org.jboss.invocation.jrmp.server.JRMPInvoker.jbossInternalLifecycle(JRMPInvoker.java:645) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155) at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94) at org.jboss.mx.server.Invocation.invoke(Invocation.java:86) at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264) at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659) at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:978) at $Proxy0.start(Unknown Source) at org.jboss.system.ServiceController.start(ServiceController.java:417) at org.jboss.system.ServiceController.start(ServiceController.java:435) at org.jboss.system.ServiceController.start(ServiceController.java:435) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155) at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94) at org.jboss.mx.server.Invocation.invoke(Invocation.java:86) at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264) at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659) at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210) at $Proxy4.start(Unknown Source) at org.jboss.deployment.SARDeployer.start(SARDeployer.java:302) at org.jboss.deployment.MainDeployer.start(MainDeployer.java:1025) at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:819) at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:782) at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:766) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155) at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94) at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:133) at org.jboss.mx.server.Invocation.invoke(Invocation.java:88) at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:142) at org.jboss.mx.server.Invocation.invoke(Invocation.java:88) at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264) at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659) at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210) at $Proxy5.deploy(Unknown Source) at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:482) at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362) at org.jboss.Main.boot(Main.java:200) at org.jboss.Main$1.run(Main.java:490) at java.lang.Thread.run(Thread.java:595)