GF3 (JDK 6) how to config security protocol to remove obsolete cryptography - java
In the company that I work we have a server GF 3.1.1 (JDK 6) with CAS which does the authentication of the users in another system. After the last update of Firefox (v. 39x) we are getting the follow information from the browser:
mydomain.com SSL received a weak ephemeral Diffie-Hellman key in
Server Key Exchange handshake message.
And it is not possible to access the site without this workaround or using another browser.
In chrome I can access normally but if I look at the connection properties it says:
Your connection is encrypted with obsolete cryptography.
The connection uses TLS 1.0.
The connection is encrypted using
AES_128_CBC, with SHA1 for message authentication an DHE_RSA as the
key exchange mechanism.
I can't configure all the browsers of our customers or say them only use chrome. Maybe in future chrome can do the same. So my solution is configure the server properly. The problem is that I don't know how can I do that.
I found in GF where I can do the configuration in Configurations > server-config > Network Config > Protocols > http-listner-2 > SSL
Then I found here a blacklist and a whitelist of some ciphers that are recommended to use. I tried to remove all in black and put all those in white. But I still have the issue. I think this list may be out of date.
I appreciate any help.
Finally. I found a solution.
I search a lot and I could find a solution, so I tried to test one by one of the ciphers. So, to work ( I am not saying that is the right way). I had to do this:
At:
Configurations > server-config > Network Config > Protocols > http-listner-2 > SSL
Add all the ciphers available
Remove all the Diffie-Hellman ciphers
Save
After that our application can be opened at any browser again. I hope it may help someone.
For admin:
Configurations > server-config > Service HTTP > Listeners HTTP > admin-listner > SSL
Add all the ciphers available
Remove all the Diffie-Hellman ciphers
Save
Restart
Edit: Comparing with the whitelist here the remaining ciphers that would be part of a new whitelist are:
Whitelist
TLS_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
I just encountered this problem as well with Chrome and the admin console. The way I got around it was to delete the current ssl certificate for the listener and recreate it using a specific set of ciphers with the --ssl3tlsciphers option. For me it was the admin-listener so first I deleted the current default certificate:
asadmin delete-ssl --type http-listener admin-listener
Then I recreated it using the following command:
asadmin create-ssl --type http-listener --certname s1as --ssl3tlsciphers SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA admin-listener
I noticed that simply deleting the default certificate doesn't remove all references to it in the domain.xml file. I haven't been able to find the proper way to do this. I just used trial and error. Another method is to modify the domain.xml file where the ssl element for the listener is defined and add the attribute "ssl3-tls-ciphers":
<ssl ssl3-tls-ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_WITH_NULL_MD5,SSL_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_DH_anon_WITH_AES_128_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as"></ssl>
Both methods require a restart of glassfish.
Thanks, Sertage, that worked!
However, it is also necessary to fix the Protocol for the admin port (usually 4848). (It should, of course, use HTTPS too!)
But, in GF 3.1.2.2, the Protocol 'admin-listener' appears to be kind of pointing to the Protocol 'sec-admin-listener', and that does not have a 'SSL' tab. Changing the SSL parameters the Protocol 'admin-listener' results in an error message, saying 'Could not apply changes. No Configuration found for configs.config.server-config.network-config.protocols.protocol.admin-listener.ssl'. Any suggestions on how to configure the admin port?
Related
SSL works on url without .com?
I am trying to enable SSL in my hosted project via tomcat. I managed to upload certs but the connection is still unsecured. My Url looks like this laptap.partner.solution Is it possible to enable SSL using this url, and get a green lock at the same time? Someone told me SSL only works on TLD's. What does it mean?
when you generate an SSL certificate you must use wildcard (*.example.com) so it works with your subdomain. you can use Let's Encrypt to generate free SSL certificates which also supports wildcards and the Green Bar you want to have
Communication between Java apps on 2 different servers(app1 in jboss and app2-tomcat) with https SSL configuration
Earlier when I kept both apps(app1 & app2) in the same (Jboss)server, I can call[communicate] the api's available in app1 from app2. [Jboss ssl configured with certificate] Now My issue is, I moved only my app2 into tomcat server[app2],without changing any code and tried to connect api's of app1. It is throwing the clientProtocol Exception. I came to know the issue with ssl certificate, because app1 is ssl configured. Is there any place I have to configure my tomcat server to trust the app1 with the SSL jboss certifcate or in java program I have to add the trustmanager SSL socket code. Please let me know the possible solution I have been stucked .
You need to configure the tomcat environment to know that exists a certificate to use. This is done with -Djavax.net.ssl.trustStore=mykeystore or setting it in JAVA_OPTS. For Linux this is done as follow: export JAVA_OPTS=-Djavax.net.ssl.trustStore=mykeystore before calling ./startup.sh
server certificate change is restricted during renegotiation
I am using java 1.6 in my machine and currently I am facing the below exception. JSSESocketFactory.makeSocket ldap. ... :636, server certificate change is restricted during renegotiation for an work around I have updated below properties into my weblogic configuration setup -Dsun.security.ssl.allowUnsafeRenegotiation=true -Djdk.tls.allowUnsafeServerCertChange=true But Still I am getting server certificate change is restricted during negotiation. Please let me know if there is anything else I can update in the configuration. Thanks for your help guys.
Java Security Warning SSL Connection after server change
After a server change, I get nasty SSL warning in browsers (tested FF & Chrome), when loading an applet, used in an JavaEE Application (Serlvet API 3) The warning says: "Certificate is not valid, and cannot used to identify the website" The more detailed warning says: "The certificate authority, who provided the certificate, is not trusted." The messages are translated into english, so please excuse slight differences there. After this message, I get the message of Java, which shows that the Applet is ordinary signed (the dialog with the blue sign). So the Applet is working, only the warning message annoys. Before I moved to another server, everything was fine and worked. No security warnings or anything else. The Applet is signed, by a certificate, which I requested from an CA. (rapidssl) The old server environment was just a common web space, offered by 3rd party hoster. Now I moved to my own server, which utilizes XEN for hosting VMs. On one of that internal vm's, our webserver is deployed. According to that, I defined firewall rules to route traffic http/https to the vms. Also the domain was ported, was purchased at old hoster, and the ip of new server is bound to domain. I use Tomcat 7 as Application Server on an debian based OS. In old environment, I could use the specified url in CN of my wildcard cert.(e.g. *.domain.com) In new environment the basic message says: *.domain.com:port is not a trusted site. I thought actually, that SSL Certs are independent of the used port. I've read that, on some research too. I also searched here in many threads, but the supposed answers didnt work for me. The certificate and root cert. are imported to Java's own keystore cacerts. In Tomcat 7, I use the JSSE Implementation for SSL, with properly setup keystore files. I've tried already this, but as im not that experienced with SSL/TLS Technology, the tried solutions maybe even wont solve my problem: Disabling SNI in Tomcat 7 (dont work) Adding Host aliases in server.xml (dont work) Can anyone clarify, what the actual problem is, or has experienced the same issue ? #edit: The are no error stacktraces in any logs, which I could provide here, also no exceptions gets thrown.
It came clear, thanks to Khanna111 Gaurav Khanna and jwv, that the certificate chain wasnt setup properly. I thought, if there were any problems with the certificate chain, that the browser will notify me about it. It isn't like that. As we migrated from old hoster to new server, they provided only the certificates, but without the private key. As im not that much experinced with SSL, I thought that importing the intermediary certs and the acquired cert is enough.. It is not :) After stumbling on intermediate-ca-certificate-in-java (link in comment), I've read this, which solved my problem: why doesn't java send the client certificate during SSL handshake? & external website:Import private key and certificate into Java Key Store (JKS) I had certkey.key,publiccert.crt, intermediate_primary.cer and secondary_primary.cer Files. The first step was, to convert the .key and .crt file to DER format, as mentioned in last link via OpenSSL due to keytool's inability to import a key in an existing keystore After converting to DER Format, I used the Tool ImportKey and created a new keystore with key/cert contained. The second step was following the instructions of second link (Bruno's Answer), so it was copy&paste the certificate contents, into a single file. After importing the bundle of certificates into keystore, everything was fine. I hope this can help anyone else, which is also not that familiar with SSL. p.s. due to my lack of rep, i cannot mention all sites, I've used.. I'll provide them in comments
SSL with WebSphere MQ 7
Basically I have two problems: Optional SSL for Queue Manager not working as expected I have QM configured well. For testing I'm using MQIVP Java class from WebSphere MQ installation. Without SSL configured I have no problem to run MQIVP successfully. When I set up QM SSL authentication as optional it stops working, probably not so optional, any idea? Another additional property is that when using Spring and SSL authentication as required I have no problem to connect to QM without additional configuration for Spring (comparing with the one without SSL) Java SSL Logging not working as expected According to that article I configured trustStore and keyStore, but when trying to use SSL with MQIVP no additional logging is in the log. I have properties set: -Djavax.net.debug=all -Djavax.net.ssl.trustStore="c:\Program Files (x86)\IBM\WebSphere MQ\trustStore.jks" -Djavax.net.ssl.trustStorePassword=trust -Djavax.net.ssl.keyStore="c:\Program Files (x86)\IBM\WebSphere MQ\keyStore.jks" -Djavax.net.ssl.keyStorePassword=key
I know for the keyStore you just specify the file name without the extention, so try this: -Djavax.net.ssl.keyStore="c:\Program Files (x86)\IBM\WebSphere MQ\keyStore" You may also try the same for the trustStore.