0

I set my JBOS server to use TLS only with the following line in the connector sslEnabledProtocols = "TLSv1.1,TLSv1.2" but when I check the server with NMAP it shows:

 ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 768) - E
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C

this is weird since these algorithms are TLS algorithms.
And when I try to connect to the Server using openssl it reports that it is using SSLv3 with ECC cipher 

Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES128-SHA

How is it possible and how to turn off sslvX permanently?

HBruijn
  • 77,029
  • 24
  • 135
  • 201
whd
  • 73
  • 1
  • 1
  • 7
  • Are you actually connecting directly to JBoss or is there a reverse proxy protecting your application server ? – HBruijn Dec 04 '18 at 12:07
  • The names aren't so weird; except for some new suites in 1.2 (and the completely different ones in 1.3) most suites in SSL3 and TLS1.0-1.2 are actually the same and naming them 'SSL' or 'TLS' is arbitrary. What is a little weird is supporting EC (specifically ECDHE-RSA) in SSL3 with extensions 10 and 11 prohibited (and defaulted). However JSSE does do that, and before j8 it also uses DHE 768 which not many other implementations do. FYI only SSL3 is at issue; no JSSE ever supported SSL2 (only SSL2Hello, which is different). You did restart the server after changing the config? ... – dave_thompson_085 Dec 04 '18 at 14:01
  • ... Also what version of Java? 7u76 or 8u31 up by default already disable SSLv3 JVM-wide in java.security, because of POODLE. (I also find it weird that POODLE was much fiercer than BEAST, but so it goes. :-) (And 8u51 up also disables RC4 because various biases found and rfc7465.) – dave_thompson_085 Dec 04 '18 at 14:18

0 Answers0