The POODLE bug (CVE-2014-3566) affects nearly everything and everybody is trying to secure all of their systems. That includes your JBoss servers. Securing your JBoss 4 or 5 has one pitfall, which I am going to explain in this post. Apart from that it’s easy.
I stumbled on this issue when securing the web interface of a customer’s JON server. (Important note: the following snippet will not work around POODLE for communication from JON server to JON agent!) JON is by default configured to use TLS, so there is a poodle protection installed by default.
Yeahh, well… let’s verify that:
[sourcecode] echo "" | openssl s_client -ssl3 -connect&amp;nbsp; your.server.dns.or.ip:7443 [/sourcecode]
Surprise, surprise: Even with TLS configured the SSL-Session using SSLv3 was established successfuly!
[sourcecode] SSL-Session: Protocol&amp;nbsp; : SSLv3 Cipher&amp;nbsp;&amp;nbsp;&amp;nbsp; : DHE-RSA-AES256-SHA Session-ID:&amp;nbsp;XXX Session-ID-ctx: Master-Key: XXX Key-Arg&amp;nbsp;&amp;nbsp; : None Krb5 Principal: None Start Time: 1413471616 Timeout&amp;nbsp;&amp;nbsp; : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) [/sourcecode]
The cause for that is that the tomcat configuration doesn’t work as I would expect it. The following configuration does NOT do the trick (server.xml of the deployed tomcat):
[sourcecode language="xml"] &amp;lt;!-- Does NOT work! --&amp;gt; &amp;lt;Connector port="7443" address="0.0.0.0" protocol="HTTP/1.1" scheme="https" ... secure="true" SSLEnabled="true" sslProtocol="TLS" ... &amp;gt; &amp;lt;!-- Does NOT work! --&amp;gt; [/sourcecode]
The RedHat guys actually posted the solution but it’s easy to mistake the important point. The following configuration bans your evil poodle:
[sourcecode language="xml"] &amp;lt;Connector port="7443" address="0.0.0.0" protocol="HTTP/1.1" scheme="https" ... secure="true" SSLEnabled="true" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ... &amp;gt; [/sourcecode]
Ok there is one obvious (and also important!) difference and one subtle difference. The obvious one is that it is
"TLSv1,TLSv1.1,TLSv1.2" and not
"TLS". By the way
TLSv1.2 is only available from JDK 1.7 on.
But there is also the subtle difference of a single “s” which is very important, because without it it does NOT work. To make it clear, it will only work with
"sslProtocols" and will NOT work with
That is confusing for me because I have never seen that option documented but the documented option seems to have no effect at all. So I suspect there is a typo in either the code or the documentation.
Hope I could help you somehow! If you’ve got any questions feel free to comment on this post. Good luck on your poodle fighting!