Is SSLv3 disabled by default in JBoss EAP?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6

Issue

  • Does EAP disable SSLv3 by default?
  • I tried using protocol="all" but SSLv3 was not enabled in EAP.
  • I tried using protocol="SSLv3" but SSLv3 was not enabled.
  • How do I enable SSLv3 in JBoss?

Resolution

Note: SSLv3 has been found to have vulnerabilities as defined by the specification and all implementations of SSLv3 are considered insecure. Red Hat recommends SSLv3 to be disabled as described in CVE-2014-3566.

All Java runtimes have been disable SSLv3 support following the discovery of the POODLE vulnerability. For example, Oracle JDK 8u31 and Oracle JDK 7u75 disabled support for SSLv3. This was done by adding SSLv3 to the list of disabled algorithms in $JAVA_HOME/jre/lib/security/java.security. When SSLv3 is disabled through disabledAlgorithms, then it can't be enabled in that runtime at all even if you attempt to enable it explicitly. To verify that your Java runtime has SSLv3 disabled check for the following line in $JAVA_HOME/jre/lib/security/java.security:

jdk.tls.disabledAlgorithms=SSLv3

Starting in JBoss Enterprise Application Platform (EAP) 6.4, SSLv3 is disabled by default for the web subsystem. This just disables it by default, but it can still be enabled explicitly by adding "SSLv3" to the protocol list in the ssl connectors defined in the web subsystem. For example:

<connector enabled="true" name="https" protocol="HTTP/1.1" scheme="https" secure="true" socket-binding="https">
    <ssl name="ssl" protocol="SSLv3,TLSv1,TLSv1.1,TLSv1.2" .../>

Note that protocol="all" is not enabling it explicitly.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments