The POODLE bug (CVE-2014-3566) affects nearly everything and everybody is trying to secure all of their systems. That includes your JBoss servers. Securing your JBoss 4 or 5 has one pitfall, which I am going to explain in this post. Apart from that it’s easy.
I stumbled on this issue when securing the web interface of a customer’s JON server. (Important note: the following snippet will not work around POODLE for communication from JON server to JON agent!) JON is by default configured to use TLS, so there is a poodle protection installed by default.
Yeahh, well… let’s verify that:
echo "" | openssl s_client -ssl3 -connect  your.server.dns.or.ip:7443
Surprise, surprise: Even with TLS configured the SSL-Session using SSLv3 was established successfuly!
SSL-Session: Protocol  : SSLv3 Cipher    : DHE-RSA-AES256-SHA Session-ID: XXX Session-ID-ctx: Master-Key: XXX Key-Arg   : None Krb5 Principal: None Start Time: 1413471616 Timeout   : 7200 (sec) Verify return code: 21 (unable to verify the first certificate)
The cause for that is that the tomcat configuration doesn’t work as I would expect it. The following configuration does NOT do the trick (server.xml of the deployed tomcat):
<!-- Does NOT work! --> <Connector port="7443" address="0.0.0.0" protocol="HTTP/1.1" scheme="https" ... secure="true" SSLEnabled="true" sslProtocol="TLS" ... > <!-- Does NOT work! -->
The RedHat guys actually posted the solution but it’s easy to mistake the important point. The following configuration bans your evil poodle:
<Connector port="7443" address="0.0.0.0" protocol="HTTP/1.1" scheme="https" ... secure="true" SSLEnabled="true" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ... >
Ok there is one obvious (and also important!) difference and one subtle difference. The obvious one is that it is "TLSv1,TLSv1.1,TLSv1.2"
and not "TLS"
. By the way TLSv1.2
is only available from JDK 1.7 on.
But there is also the subtle difference of a single “s” which is very important, because without it it does NOT work. To make it clear, it will only work with "sslProtocols"
and will NOT work with "sslProtocol"
.
That is confusing for me because I have never seen that option documented but the documented option seems to have no effect at all. So I suspect there is a typo in either the code or the documentation.
Hope I could help you somehow! If you’ve got any questions feel free to comment on this post. Good luck on your poodle fighting!
Hi!
[Host Controller] Message: JBAS014788: Unexpected attribute is found ‘sslProtocols…
:-/
The string “[Host Controller]” looks like you’re working with JBoss AS / EAP 6, right? The syntax is completely different there. You’ve got . See
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html/Security_Guide/Implement_SSL_Encryption_for_the_JBoss_Enterprise_Application_Platform_Web_Server1.html
Yes! JBoss EAP 6.2.
Thank you very much.
Best regards.