The use of SSLv3.0/TLSv1.0 in combination with certain encryption techniques (CBC block
ciphers) may allow for an attacker to predict the so-called Initialization Vector of subsequent SSL
packets. Using this information the attacker can access the secure session of another user. This
attack, named BEAST (Browser Exploit Against SSL/TLS), is aimed at the user’s browser and not
at the web server. Nevertheless, it is possible to take countermeasures at the server side as well
to prevent a successful attack.
The complete solution to this problem is disabling or deprioritizing the support for
vulnerable encryption ciphers (CBC block ciphers) when using SSLv3.0/TLSv1.0. Commonly, this
can be achieved by prioritizing RC4 ciphers in the cipher negotiation process.
For Apache web servers that support SSLv3.0/TLSv1.0 this can be configured by adding the
following configuration:
SSLProtocol All –SSlv2
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
For Apache web servers that support SSLv3.1/TLSv1.1 and higher, it is recommended to use the
following configuration:
SSLProtocol All –SSlv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
As far as I know, JBoss 7 is based on a version of Apache that supports SSLv3.1/TLSv1.1 (maybe I am wrong), so the second alternative can be applied to JBoss 7.
My question is: Where/How should I configure it?
Best Answer
I am not sure if this could be applied directly to JBOSS unless you want to front end Apache as a web server to JBOSS. Please look at the following feature request to address this issue and it hasnt been adressed yet since the issue is still open. https://issues.jboss.org/browse/AS7-5501.