Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 28, 2016
Customer wants to disable SSL protocol and enable TLSv1.2 for Administrative UI access due to recent Poodle & BEAST (CVE-2011-3389) vulnerability with SSLv3.0/TLSv1.0
What determines the embedded JBOSS supportability to various SSL/TLS protocols?
The version of SSL/TLS protocol supported by JBoss Application server depends on the JDK/JRE that it uses.
Now, here is the supportability chart across different version for JDK.
(March 2014 to present)
(July 2011 to present)
(2006 to end of public updates 2013)
|TLS Protocols||TLSv1.2 (default)|
|JSSE Ciphers:||Ciphers in JDK 8||Ciphers in JDK 7||Ciphers in JDK 6|
|Reference:||JDK 8 JSSE||JDK 7 JSSE||JDK 6 JSSE|
|Java Cryptography Extension, Unlimited Strength (explained later)||JCE for JDK 8||JCE for JDK 7||JCE for JDK 6|
Does Admin UI R12.52SP1 CR7 Supports TLS v1.2 ?
The standalone Admin UI installer for R12.52 SP1 CR7 installs following JBOSS and JRE version :
- JBOSS Version : 5.1.0 GA
- JRE : 1.6 Update 45 ( JRE is installed under <AdminUI_install_directory>/runtime/)
So, unfortunately, R12.52 SP1 CR7 Admin UI does NOT support TLSv1.2 protocol as the underlying JRE 1.6 does not support it.
Also note the following:
- Customer also cannot simply upgrade their JRE to 1.7 as the JBOSS 5 is not certified with JRE 1.7.
What Next ?
We already have couple of ticket opened with our sustaining engineering to enable TLS v1.2 support for Admin UI.
Most likely engineering will fix this issue by upgrading JBoss and JRE in the upcoming CR for r12.52 SP1.
This post will be updated when that happens.
(Update : As of 29/06/2017 or 12.52SP1CR7 doesn't' have support for this yet)
Admin UI for r12.52SP2 now bundles embedded JBoss 8.2 & JDK 1.8 for the standalone installation.
TLS 1.2 is enabled by default in the Jboss configuration as well.
This is done by setting enabled-protocols flag in admin_ui_installation_dir\standalone\configuration\ standalone.xml file.
to enabled-protocols=" TLSv1.1,TLSv1.2" as below :
<https-listener name="https" socket-binding="https" security-realm="SSLRealm" enabled-protocols="TLSv1.1,TLSv1.2"