Disabling SSLv2 in JBoss Fuse 6.x and JBoss A-MQ 6.x

Solution Unverified - Updated -

Environment

  • Red Hat JBoss Fuse

    • 6.2.1
    • 6.2
    • 6.1.1
    • 6.1
    • 6.0
  • Red Hat JBoss A-MQ

    • 6.2.1
    • 6.2
    • 6.1.1
    • 6.1
    • 6.0

Issue

Resolution

JBoss Fuse and JBoss A-MQ come with multiple components that support SSL.
So disabling SSLv2 to guard against the DROWN vulnerability CVE-2016-0800 may require changing the SSL configuration in more than just one place, depending on the components that use SSL.


Embedded Pax-Web Jetty server

SSLv2 is not available with the Jetty SSL Connector, hence there is no need to disable it.


Embedded ActiveMQ broker

The default embedded ActiveMQ broker configuration does not create an SSL transport connector. If you manually added an SSL transport connector, then you restrict the SSL protocols supported by the broker using the option transport.enabledProtocols:

<transportConnector name="ssl" uri="ssl://localhost:61617?transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2></transportConnector>

This configuration restricts the SSL connector of ActiveMQ to only support TLSv1, TLSv1.1, TLSv1.2.
SSLv3 and SSLv2 will not be supported.


Camel components using SSLContextParameters

Customer applications using HTTPS that create connections using SSLContextParameters with a default protocol of "TLS" are vulnerable. To mitigate this vector, customers need to explicitly set the list of protocols permitted for use in their application. This could be done as shown below.

SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setSecureSocketProtocols(new SecureSocketProtocolsParameters());
sslContextParameters.getSecureSocketProtocols().getSecureSocketProtocol().add("TLSv1.2");
sslContextParameters.getSecureSocketProtocols().getSecureSocketProtocol().add("TLSv1.1");
sslContextParameters.getSecureSocketProtocols().getSecureSocketProtocol().add("TLSv1");

or in Spring / Blueprint

 <camel:sslContextParameters id="sslContextParameters">
    <camel:secureSocketProtocols>
      <camel:secureSocketProtocol>TLSv1</camel:secureSocketProtocol>
      <camel:secureSocketProtocol>TLSv1.1</camel:secureSocketProtocol>
      <camel:secureSocketProtocol>TLSv1.2</camel:secureSocketProtocol>
    </camel:secureSocketProtocols>
  </camel:sslContextParameters>

using either namespace xmlns:camel="http://camel.apache.org/schema/spring" or xmlns:camel="http://camel.apache.org/schema/blueprint".
Not all SSL enabled Camel components support the SSLContextParamater. For a list of supported components, consult this Camel documentation.


CXF Endpoints

SSL enabled CXF endpoints can either use the Pax-Web HTTP stack (if they run inside a Karaf OSGi container) or create their own HTTP stack.
In case of using Pax-Web's HTTP stack, the notes from section 'Embedded Pax-Web Jetty server' apply for disabling support for SSLv2.
If the CXF endpoint uses its own HTTP stack (by specifying its own hostname and port number) then an update to one of the following patches is needed in order to disable SSLv2 and SSLv3.
JBoss Fuse 6.1 Rollup 1 Patch 2
JBoss Fuse 6.0 Rollup 2 Patch 4

JBoss Fuse 6.2 and higher already has SSLv2 and SSLv3 disabled in CXF by default.


LDAP SSL

For customers connecting to an Apache Directory Server configured with an SSL endpoint, you can configure the connection to use TLSv1 instead of the default SSL by setting the ssl.protocol attribute in the configuration as shown below. This is configured in the ldap-module.xml file you created when enabling LDAP as per Enable LDAP Authentication in the OSGi Container.

<jaas:config name="karaf" rank="1">
    <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
      initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
      connection.username=uid=admin,ou=system
      connection.password=secret
      connection.protocol=
      connection.url = ldaps://localhost:10636
      user.base.dn = ou=users,ou=system
      user.filter = (uid=%u)
      user.search.subtree = true
      role.base.dn = ou=users,ou=system
      role.filter = (uid=%u)
      role.name.attribute = ou
      role.search.subtree = true
      authentication = simple     
      ssl.protocol=TLSv1
      ssl.truststore=truststore
      ssl.algorithm=PKIX
    </jaas:module>
  </jaas:config>

For more information with regards to enabling SSL for LDAP, refer to Enable SSL/TLS on the LDAP Connection.


Management Console JMX

Edit the file $FUSE_HOME/etc/org.apache.karaf.management.cfg to specify the secureProtocol property. For example,

secured = true
secureProtocol = TLSv1
keyAlias = jbossalias
keyStore = sample_keystore
trustStore = sample_keystore

For more information regarding SSL configuration for JMX, refer to Enabling Remote JMX SSL

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

A very related KCS article: Disabling SSLv3 in JBoss Fuse 6.x and JBoss A-MQ 6.x for how to protect against the POODLE SSLv3 vulnerability CVE-2014-3566.

Also upgrading JDK at least to : JDK 8u31, JDK 7u75, JDK 6u91, Oracle JRockit 28.3.5, Oracle JRockit R27.8.5, and above

Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91, Oracle JRockit 28.3.5, Oracle JRockit R27.8.5, and above) the Java Runtime Environment has SSLv3 disabled by default.[1]

[1]http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html