As non-experts on web server administration and security, we are struggling to update our JBoss 5.1.0 GA web server configuration to meet Diffie-Hellman standards. JBoss was installed for us as part of the middle tier in a larger platform. We have seen documentation for other servers here, a solution for another version of JBoss here, and something that worked for the same version of JBoss for the poster but has not worked for us here. The connector tag in our original server.xml file has sslProtocol = "TLS" and there is no ciphers attribute at all.
We have tried changing the sslProtocol = "TLS" setting to the plural sslProtocols = "TLSv1,TLSv1.1,TLSv1.2" instead and restarting JBoss, but this appears to have no effect. Does anyone know of useful free resources out there to make JBoss 5.1.0 GA meet Diffie-Hellman standards? Thank you.
Best Answer
For anyone else who has run into this with JBoss 5.1.0 GA, the settings that ended up working for us were similar to this:
<Connector protocol="HTTP/1.1" SSLEnabled="true" port="8543" address="${jboss.bind.address}" scheme="https" secure="true" clientAuth="false" keystoreFile="/opt/novell/idm/jre/bin/mycert.keystore" keystorePass="mypassword" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_W ITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_W ITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_1 28_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />