[jboss-jira] [JBoss JIRA] (WFLY-3451) disabling CBC mode ciphers
Emmanuel Hugonnet (JIRA)
issues at jboss.org
Thu Jun 12 11:00:43 EDT 2014
[ https://issues.jboss.org/browse/WFLY-3451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12975702#comment-12975702 ]
Emmanuel Hugonnet commented on WFLY-3451:
-----------------------------------------
This syntax is not currently supported in wildfly to define which ciphers to enable in Undertow for SSL connection
This will go into you WildFly configuration file :
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<server name="default-server">
...
<https-listener name="ssl" socket-binding="https" enabled-cipher-suites="ALL:!RC4-SHA:!ECDH-RSA-DES-CBC3-SHA" security-realm="UndertowRealm" verify-client="NOT_REQUESTED" />
...
</subsystem>
> disabling CBC mode ciphers
> --------------------------
>
> Key: WFLY-3451
> URL: https://issues.jboss.org/browse/WFLY-3451
> Project: WildFly
> Issue Type: Sub-task
> Security Level: Public(Everyone can see)
> Affects Versions: JBoss AS7 7.1.1.Final
> Reporter: Aleksandr Voloschuk
> Assignee: Darran Lofthouse
> Priority: Critical
>
> encountered such a problem:
> management of information security vulnerability found on a production environment, namely:
> SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability port 8443/tcp over SSL
> RC4-SHA ECDHE-RSA-DES-CBC3-SHA SSLv3
> they offer a solution:
> This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If
> upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability. Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability.
> as TLS upgrade we can not, it remains disabling CBC mode ciphers
> our platform is jboss-eap-6.1
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list