[jbossws-users] [JBossWS] - How to disable weak ciphersuites for a SSL secured webservice

Wolfgang Moser wolfgang.moser at src-gmbh.de
Fri Mar 30 12:17:07 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello there at JBossWS,

(please excuse me for sending this message twice, it seems
I didn't format my subject line correctly, so the message
wasn't put through onto the forum)


I'm developing for a WebServices application that runs on
  JBoss 4.0.5.GA  with  JBossWS 1.0.4.GA

We got managed to setup JBoss as well as the deployed
WebService to only allow SSL connections (with user
authentication).


Unfortunately we don't see a way to disable all the weak
ciphersuites (like DES40, RC4_40 or standard DES) for that
SSL secured webservice, so that the server acts in a way
that it will never accept such weak ciphersuites on the
initial SSL handshake.


I did already check out:
	http://jira.jboss.com/jira/browse/JBAS-1983
but was not able to configure the ciphersuites accordingly
(this included JBAS-2785). I wasn't unable to check out,
if these settings would change anything on WebServices,
since JBoss doesn't start due to a null pointer exception
(see attachment). As some debugging reveals, this is
because the member "securityDomain" within:
    org.jboss.security.ssl.ServerSocketFactory
seems to not get initialized.


Any hints on how to become able to select or to configure
the ciphersuites being accepted from our SSL enabled
WebServices application would be appreciated much.

- --
With kind regards,

	Wolfgang Moser

_______________________________________________________________

SRC Security Research & Consulting GmbH
Graurheindorfer Str. 149 a      Tel: +49(0)228-2806-149
53117 Bonn                      Fax: +49(0)228-2806-199
http://www.src-gmbh.de          Mob: +49(0)
Handelsregister Bonn: HRB 9414	Geschäftsführer: Gerd Cimiotti

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iQEVAwUBRg04Al351eL5alt0AQhswwgAnDKiNJ9o0izElzH08D7MU1buhfaxJDOC
tTh6qK8qsJ/bMcPSgpwCQV0ulpUukWiQacdhrIZtDu+xvgy8bZ1YCWFjw8lRrgVv
aJpwZQ6g+On+B5ZOWnkdRcvt0LWvOyJxaADLRso+WQm9HJ3U+TidtyVsFGU+rgct
0C0t0Df8vLcyoj7IFKC0nJWaUsnVVqXEoRxvTlS45WDYjsYI6n0GxYG5hiY/PSZV
djoAVXhzeuP0hBwzEsyEKfBd6a2Kp/nzNNDuF2/V8awKlSmaiDeDBdNBf99ktyyv
6lBLwQuj5fjoXVQDQXXieGHTSvInB/ZVnMXLYbKbGut0Y1YW2SEPcQ==
=I9Pc
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: jbossserversocketexception.txt
Url: http://lists.jboss.org/pipermail/jbossws-users/attachments/20070330/de29392a/attachment.txt

More information about the jbossws-users mailing list