什么是用于缓解Logjam / weakdh.org的正确的JBoss EAP 6.0.1密码套件配置? [英] What is the correct JBoss EAP 6.0.1 cipher-suite configuration for mitigation of Logjam / weakdh.org?
问题描述
由于注意到logjam和网站 https://weakdh.org/ (Logjam:How Diffie- Hellman Fails in Practice)最近几天收到了,我决定在我的JBoss EAP 6.0.1系统上加强SSL配置,如下所述:
Because of the attention that logjam and the website https://weakdh.org/ (Logjam: How Diffie-Hellman Fails in Practice) has received in recent days, I decided to harden the SSL configuration on my JBoss EAP 6.0.1 system as described here:
13.2.5. SSL Connector Reference: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/Administration_and_Configuration_Guide/SSL_Connector_Reference1.html
交叉引用到这里: http://www.coderanch.com/t/613062/JBoss/configuring-SSL-Https -Jboss
我的standalone.xml的相关部分包含在下面的混淆形式中:
The relevant portion of my standalone.xml is included in obfuscated form below:
<connector name="https" protocol="HTTP/1.1" scheme="https"
socket-binding="https" secure="true">
<ssl
key-alias="**********"
password="**********"
certificate-key-file="/var/**********/**********.jks"
protocol="TLSv1.2"
cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AE_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA"
/>
</connector>
协议限制正在运行,但据我所知,密码套件属性没有效果。我已将列表缩减为仅两个套件,但JBoss在端口8443上返回的列表始终相同。
我已经针对Qualys SSL实验室对系统进行了测试,并且返回的密码套件列表包含了我的列表中未包含的许多密码。
The protocol restriction is working but the cipher-suite attribute has, as far as I can tell, no effect. I have reduced the list down to just two suites but the list returned by JBoss on port 8443 is always the same. I have tested the system against Qualys SSL Labs and the list of cipher suites returned includes numerous weak of ciphers not included in my list.
Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 768 bits (p: 96, g: 96, Ys: 96) FS INSECURE 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 571 bits (eq. 15360 bits RSA) FS 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 768 bits (p: 96, g: 96, Ys: 96) FS INSECURE 112
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 571 bits (eq. 15360 bits RSA) FS 112
更新:
我试过广告通过CLI调整配置,希望它可以做一些不同的事情:
Update: I tried adjusting the configuration via the CLI in the hope it might do something different:
/subsystem=web/connector=https/ssl=configuration/:write-attribute(name=cipher-suite, value="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA")
然后输出(也对应于新的standalone.xml):
which then outputs (corresponds also to the new standalone.xml):
[standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration/:read-resource(recursive=true,proxies=false,include-runtime=true,include-defaults=true)
{
"outcome" => "success",
"result" => {
"ca-certificate-file" => undefined,
"ca-certificate-password" => undefined,
"ca-revocation-url" => undefined,
"certificate-file" => undefined,
"certificate-key-file" => "/var/xxxx/xxxx-xx/xxxx.jks",
"cipher-suite" => "TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA",
"key-alias" => "xxxx",
"keystore-type" => undefined,
"name" => undefined,
"password" => "****",
"protocol" => "TLSv1.2",
"session-cache-size" => undefined,
"session-timeout" => undefined,
"truststore-type" => undefined,
"verify-client" => "false",
"verify-depth" => undefined
},
"response-headers" => {"process-state" => "reload-required"}
}
但使用此命令的nmap:
but nmap using this command:
nmap -p 8443 -A --script ssh-hostkey,ssh2-enum-algos,sshv1,ssl-cert,ssl-date,ssl-enum-ciphers,ssl-google-cert-catalog,ssl-heartbleed,ssl-known-key,sslv2 xxxx.de
坚持认为其他密码套件仍处于活动状态:
insists that the other cipher-suites are still active:
Starting Nmap 6.47 ( http://nmap.org ) at 2015-05-31 09:41 W. Europe Daylight Time
Nmap scan report for xxxx.de (x.x.x.x)
Host is up (0.031s latency).
PORT STATE SERVICE VERSION
8443/tcp open ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-cert: Subject: commonName=xxxx.de
| Issuer: commonName=COMODO RSA Domain Validation Secure Server CA/organizationName=COMODO CA Limited/stateOrProvinceName=Greater Manchester/countryName=GB
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2015-05-27T23:00:00+00:00
| Not valid after: 2016-05-21T22:59:59+00:00
| MD5: 7ac1 b1a9 4fd8 c438 0bce 0e82 bb2a 5e06
|_SHA-1: 9b6e 185c 8598 aec6 7949 e7b1 3183 fc87 637f e86b
| ssl-enum-ciphers:
| TLSv1.0: No supported ciphers found
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - stron
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
| ssl-google-cert-catalog:
|_ No DB entry
Nmap done: 1 IP address (1 host up) scanned in 55.74 seconds
- See more at: https://developer.jboss.org/message/931697#sthash.3ZJZG9PV.dpuf
显然,那里是关于此主题的一些指导:
https://access.redhat.com/solutions/661193 (在EAP 6中禁用弱SSL密码)
唉,我无权访问,因为RedHat的策略似乎会将应用服务器和Internet的安全性置于付费墙之后。叹。
Apparently, there is some guidance on this topic here: https://access.redhat.com/solutions/661193 (Disable weak SSL ciphers in EAP 6) Alas, I have no access to that, as RedHat's policy would seem to put security of the application server and the Internet in general behind a paywall. Sigh.
任何人都可以确认这个问题,更好的是,提供解决方案的建议。如果没有将其置于反向代理(我的计划B)之后,是否有人有工作配置?谢谢。
Can anyone confirm this issue and better yet, offer advice for a resolution. Short of putting it behind a reverse proxy (my plan B), does anyone have a working configuration? Thanks.
参考: https://developer.jboss。 org / message / 931697
推荐答案
既然JBoss邮件列表和Stackoverflow工作人员都没有任何反馈意见,我就是将此归结为JBoss版本中的错误。我通过升级到Wildfly 8.2并使用提供的说明进行配置来解决它,它按预期工作。
Since neither the JBoss mailing list nor the Stackoverflow crew has any feedback, I am chalking this up to a bug in that JBoss version. I have resolved it by upgrading to Wildfly 8.2 and configuring with the instructions provided and it works as expected.
我猜这是一个臭名昭着的服务器老版本。对于后代,这是wildfly的SSL侦听器的配置:
I guess it was a bug in an, admittedly, older version of the server. For posterity, this is the configuration of the SSL listener for wildfly:
<https-listener name="https" socket-binding="https" security-
realm="SSLRealm"
enabled-protocols="TLSv1.2"
enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, etc."/>
相应的安全领域可能如下所示:
A corresponding security-realm might look like:
<security-realm name="SSLRealm">
<server-identities>
<ssl >
<keystore
path="/var/mysite/ssl/mysite.jks"
keystore-password="******"
alias="mysite"
/>
</ssl>
</server-identities>
</security-realm>
这篇关于什么是用于缓解Logjam / weakdh.org的正确的JBoss EAP 6.0.1密码套件配置?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!