[jboss-user] [JBoss Remoting] - Disable Weak Ciphers for PCI-DSS
Sunil Babu
do-not-reply at jboss.com
Wed Apr 14 23:51:00 EDT 2010
Sunil Babu [http://community.jboss.org/people/sunilbabu] replied to the discussion
"Disable Weak Ciphers for PCI-DSS"
To view the discussion, visit: http://community.jboss.org/message/537571#537571
--------------------------------------------------------------
I spent lot of time trying to figure this out and hope this help someone.
-Jboss-4.2.3.GA uses Remoting 2.2.2.SP8 and there is no configuration option or property to disable weak ciphers in this version.
-This feature is added in Remoting 2.4.0.Beta2 https://jira.jboss.org/jira/browse/JBREM-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel https://jira.jboss.org/jira/browse/JBREM-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel.
So My Options are
1. Update the Remoting.jar to to 2.4.x version but I did not find any document to do this( I was also worried about it's impact on my swing clients and webservice).
2. Hack the Remoting 2.2.2.SP8 code and disable the weak ciphers.
Required files: jboss-remoting.jar, jboss-common.jar, jboss-common.jar, SSLSocketServerInvoker.java
Modify 2.2.2-SP8/src/main/org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.java file and add strong ciphers
protected ServerSocket createServerSocket(int serverBindPort, int backlog, InetAddress bindAddress) throws IOException
{
ServerSocket ss = getServerSocketFactory().createServerSocket(serverBindPort, backlog, bindAddress);
if (ss instanceof SSLServerSocket) {
SSLServerSocket sss = (SSLServerSocket) ss;
String[] enabledCipherSuits = {"SSL_RSA_WITH_RC4_128_MD5","SSL_RSA_WITH_RC4_128_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA"};
sss.setEnabledCipherSuites(enabledCipherSuits);
}
return ss;
}
Compile the file
javac -cp jboss-remoting.jar:jboss-common.jar:log4j.jar SSLSocketServerInvoker.java
Update Jar with new file
jar uf jboss-remoting.jar org/jboss/remoting/transport/sslsocket/SSLSocketServerInvoker.class
3. Update my server to Jboss-5x and use "enabledCipherSuites" property (I am working on this now ).
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/537571#537571]
Start a new discussion in JBoss Remoting at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2050]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100414/c661671e/attachment.html
More information about the jboss-user
mailing list