In GlassFish, we can configure SSL, too.
In admin console, one can configure the SSL in a given Network Listeners.
For instance, through the following navigation:
Configurations > server-config > Network Config > Network Listeners >
http-listener-1 > SSL
Shing Wai Chan
On 7/22/14, 6:36 AM, Krushna Chandra Sahu wrote:
> Hi team,
>
> We found a vulnerability with our glassfish . Below are the details .
>
> glassfish version :- glassfish-3.1.2-b13 Port no :- 3920
>
> Threat :-
>
> SSL encryption ciphers are classified based on encryption key length
> as follows:
>
> HIGH - key length larger than 128 bits
> MEDIUM - key length equal to 128 bits
> LOW - key length smaller than 128 bits
>
> Messages encrypted with LOW encryption ciphers are easy to decrypt.
> Commercial SSL servers should only support MEDIUM or HIGH strength
> ciphers to guarantee transaction security.
>
> The following link provides more information about this vulnerability:
>
> Analysis of the SSL 3.0 protocol
> (http://www.schneier.com/paper-ssl-revised.pdf)
>
> Please note that this detection only checks for weak cipher support at
> the SSL layer. Some servers may implement additional protection at the
> data layer. For example, some SSL servers and SSL proxies (such as SSL
> accelerators) allow cipher negotiation to complete but send back an
> error message and abort further communication on the secure channel.
> This vulnerability may not be exploitable for such configurations.
>
> *IMPACT :-*
>
> An attacker can exploit this vulnerability to decrypt secure
> communications without authorization.
>
> *Solution :- *
>
> isable support for LOW encryption ciphers.
> Apache
> Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
> following lines:
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> For Apache/apache_ssl include the following line in the configuration
> file (httpsd.conf):
> SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
>
> Tomcat
>
> sslProtocol="SSLv3"
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W
> ITH_3DES_EDE_CBC_SHA"
>
> IIS
>
> How to Restrict the Use of Certain Cryptographic Algorithms and
> Protocols in Schannel.dll
> (http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030)
> (Windows restart required)
> How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet
> Information Services
> (http://support.microsoft.com/default.aspx?scid=kb;en-us;187498)
> (Windows restart required)
> Security Guidance for IIS
> (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
> For Novell Netware 6.5 please refer to the following document
> SSL Allows the use of Weak Ciphers. -TID10100633
> (http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)
>
>
> Let me know ,how to fix this with glassfish .
>
> Regards
> Krushna
>
>
>
>