The POODLE bug (CVE-2014-3566) affects nearly everything and everybody is trying to secure all of their systems. That includes your JBoss servers. Securing your JBoss 4 or 5 has one pitfall, which I am going to explain in this post. Apart from that it’s easy.
I stumbled on this issue when securing the web interface of a customer’s JON server. (Important note: the following snippet will not work around POODLE for communication from JON server to JON agent!) JON is by default configured to use TLS, so there is a poodle protection installed by default.
Yeahh, well… let’s verify that:
echo "" | openssl s_client -ssl3 -connect  your.server.dns.or.ip:7443
Surprise, surprise: Even with TLS configured the SSL-Session using SSLv3 was established successfuly!
SSL-Session:
Protocol  : SSLv3
Cipher    : DHE-RSA-AES256-SHA
Session-ID: XXX
Session-ID-ctx:
Master-Key: XXX
Key-Arg   : None
Krb5 Principal: None
Start Time: 1413471616
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
The cause for that is that the tomcat configuration doesn’t work as I would expect it. The following configuration does NOT do the trick (server.xml of the deployed tomcat):
<!-- Does NOT work! -->
<Connector port="7443"
address="0.0.0.0"
protocol="HTTP/1.1"
scheme="https"
...
secure="true"
SSLEnabled="true"
sslProtocol="TLS"
... >
<!-- Does NOT work! -->
The RedHat guys actually posted the solution but it’s easy to mistake the important point. The following configuration bans your evil poodle:
<Connector port="7443"
address="0.0.0.0"
protocol="HTTP/1.1"
scheme="https"
...
secure="true"
SSLEnabled="true"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
... >
Ok there is one obvious (and also important!) difference and one subtle difference. The obvious one is that it is "TLSv1,TLSv1.1,TLSv1.2" and not "TLS". By the way TLSv1.2 is only available from JDK 1.7 on.
But there is also the subtle difference of a single “s” which is very important, because without it it does NOT work. To make it clear, it will only work with "sslProtocols" and will NOT work with "sslProtocol".
That is confusing for me because I have never seen that option documented but the documented option seems to have no effect at all. So I suspect there is a typo in either the code or the documentation.
Hope I could help you somehow! If you’ve got any questions feel free to comment on this post. Good luck on your poodle fighting!
Hi!
[Host Controller] Message: JBAS014788: Unexpected attribute is found ‘sslProtocols…
:-/
The string “[Host Controller]” looks like you’re working with JBoss AS / EAP 6, right? The syntax is completely different there. You’ve got . See
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html/Security_Guide/Implement_SSL_Encryption_for_the_JBoss_Enterprise_Application_Platform_Web_Server1.html
Yes! JBoss EAP 6.2.
Thank you very much.
Best regards.