Geek Answers Handbook

GF3 (JDK 6) how to configure a security protocol to remove obsolete cryptography

The company I work for has a GF 3.1.1 server (JDK 6) with CAS, which authenticates users to another system. After the last update of Firefox (v. 39x) we get the following information from the browser:

mydomain.com SSL received a weak Diffie-Hellman ephemeral key in the Server Key Exchange Confirmation Message.

And it is impossible to access the site without this workaround or using another browser. In chrome, I can access normally, but if I look at the connection properties, it says:

Your connection is encrypted with outdated cryptography.

The connection uses TLS 1.0.

The connection is encrypted using AES_128_CBC with SHA1 to authenticate the DHE_RSA message as a key exchange mechanism.

I can’t configure all the browsers of our clients or say that they use only chrome. Perhaps in the future, chrome may do the same. Therefore, my solution will configure the server correctly. The problem is that I do not know how I can do this.

I found in GF where I can do the configuration in configurations> server-config> Network Config> Protocols> http-listner-2> SSL

Then I found a blacklist and a white list of some ciphers that are recommended for use here. I tried to remove everything in black and put it all in white. But I still have a problem. I think this list may be out of date.

I appreciate any help.

+6
source share
3 answers

Finally. I have found a solution. I searched a lot and I could find a solution, so I tried to check one on one of the ciphers. So, to work (I'm not saying this is the right way). I had to do this:

IN:

Configurations> server-config> Network Configuration> Protocols> http-listner-2> SSL

  • Add all available ciphers
  • Remove all Diffie-Hellman ciphers
  • Save

After that, our application can be opened again in any browser. Hope this can help someone.

For administrator:

Configurations> server-config> HTTP Service> HTTP Listeners> admin-listner> SSL

  • Add all available ciphers
  • Remove all Diffie-Hellman ciphers
  • Save
  • Restart

Edit: Comparing with whitelist here , the rest of the ciphers that will be part of the new whitelist:

Whitelist

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
+9
source

I ran into this issue also with Chrome and the admin console. The way I worked around was to remove the current ssl certificate for the listener and recreate it using a specific cipher suite with the -ssl3tlsciphers option. For me it was a listener administrator, so first I deleted the current certificate by default:

asadmin delete-ssl --type http-listener admin-listener

Then I recreated it using the following command:

 asadmin create-ssl --type http-listener --certname s1as --ssl3tlsciphers SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA admin-listener

I noticed that simply deleting the default certificate does not delete all references to it in the domain.xml file. I could not find the right way to do this. I just used trial and error. Another method is to modify the domain.xml file, which defines the ssl element for the listener, and add the attribute "ssl3-tls-ciphers":

 <ssl ssl3-tls-ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"></ssl>

Both methods require restarting the glass fish.

+2
source

Thanks Sertage for working!

However, you must also fix the protocol for the administration port (usually 4848). (Of course, you also need to use HTTPS!)

But, in GF 3.1.2.2, the "admin-listener" of the protocol seems to just point to the "sec-admin-listener" of the protocol, and it does not have the "SSL" tab. When changing the SSL settings in the "Admin-listener" protocol, the error message "Unable to apply changes. The configuration was not found for configs.config.server-config.network-config.protocols.protocol.admin-listener.ssl '. Any suggestions on setting up the admin port?

+1
source

More articles:


All Articles