Running the 4.0.2 UA Patch E with the delivered JBOss.
Trying to disable the RC4 cipher suites to mitigate a vulnerability.

In the server.xml file I've specified the following:

<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="9443" address="${jboss.bind.address}" maxHttpHeaderSize="16384"
scheme="https" secure="true" clientAuth="false"
keystorePass="***" sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
cipher-suite="TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WIT H_AES_256_CBC_SHA" />

While it appears that JBoss respects the sslProtocols directive it seems to ignore the cipher-suites command.
Using openssl I'm able to connect using other cipher suites that aren't specified as one of the two above including RC4 suites.

How does one disable those? I'm at a total loss.

Will Schneider
Knowledge Partner

If you find this post helpful, please click on the star below.