Disable RC4 ciphers in JBOSS as per PCI requirements

Document ID : KB000044779
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a stream cipher. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. Jboss as well uses RC4 chipers internally.

Question: 

How to disable RC4 Chiper in Jboss shipped along with PIM.

Environment:  

All the PIM releases that use JBoss 4.2.3

Answer: 

  • Stop Jboss
  • In the server.xml file add the following in the connector(s) tag.

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

After adding in the connector tag, it would be as below (this is only a sample):

 

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" emptySessionPath="true" keyAlias="entm" keystoreFile="/opt/jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/custom/ppm/truststore/ssl.keystore" keystorePass="secret" maxThreads="150" port="18443" protocol="HTTP/1.1" scheme="https" secure="true" server="PIM" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

Location of the server.xml file:
JBOSS_HOME/server/default/deploy/jboss-web.deployer

  • delete these folders below JBOSS_HOME/server/default/
    tmp
    work
    log
  • start Jboss

Additional Information:

Currently supported ciphers in JBOSS, extracted using nmap

| ssl-enum-ciphers:

| TLSv1.1:

| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 768) - E
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - D
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A

| TLSv1.2:

| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 768) - E
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 768) - C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - D
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A