Search code examples
ssljbossjboss7.xpoodle-attacksslv3

Turn off SSLv3 on JBoss AS 7.1.1

I have Spring MVC App running on JBoss AS 7.1.1. I need to turn off SSLv3 to protect against Poodle vulnerability. JBoss documentation at https://access.redhat.com/solutions/1232233 suggests I need to make sure that SSLv3 is not listed in the SSL Protocol attributes.

I have tried that but I can still connect to my website after only enabling SSL in Internet explorer options displayed below. Below is my standalone.xml configuration:

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1"/>
</connector>

Can someone suggest what I'm missing here?

enter image description here

Solution

  • I finally figured a way to fix it. If you change 'protocol' to 'protocols' in the above mentioned configuration and make sure sslv3 is not in the protocol list then it disables SSLv3.

    Notice the protocols attribute in the config below

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
     <ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>

    After making this change, if you open IE and disable all other protocols except SSL 3.0 - and then try to access the web page, you should not be able see the web page.

    More details available here: http://abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/