Hi,
I hoping someone could help related to configuring JBoss 4.2.3.GA to disable weak & medium ciphers.
We've scanned JBoss with Nessus and it identified weak & medium ciphers on port 8443.
I was able to remove those scan results by limiting the ciphers. I added the following to the connector in server.xml
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
Re-running the scan, 8443 is now good, unfortunately it's now detecting the weak ciphers on port 8091.
From best I can tell, I should be updating the uil2-service.xml. That's based on reading a few posts online such as http://community.jboss.org/thread/42986?tstart=0, as well as following a few items that mention adding cipherAlgorithm as an attribute or others that mention limiting the available suites by adding https.cipherSuites as a JVM option in run.conf.
None of these thus far have been able to help.
Can someone please help point me at the correct configuration option(s).
Thanks in advance,
-Rob