users@glassfish.java.net

[gf-users] GF setup TLS

From: Andreas Junius <andreas.junius_at_gmail.com>
Date: Tue, 10 Mar 2015 10:13:52 +1030

Hi GF Users,

I have a few questions regarding TLS:

The web console on
Configurations > server-config > HTTP Service > Https Listeners >
http-listener-2

Tab SSL

lists a large number of cipher suites that are available on the left. It's
actually the first time that I picked some of them instead doing nothing
(which implicitly selects ALL).
As I don't want the server to use SSL 3 or below, I didn't select any SSL
cipher suites. However the server logs contain the following line:

All SSL cipher suites disabled for network-listener(s). Using SSL
implementation specific defaults

Therefore my question: what does that mean? Is the server using some
built-in default implementation, therefore defeating the purpose?

The server logs contain also a large number of messages like the following
one:

[2015-03-09T19:47:46.612+1030] [glassfish 4.1] [WARNING]
[AS-WEB-GLUE-00080] [javax.enterprise.web] [tid: _ThreadID=458
_ThreadName=pool-39-thread-1] [timeMillis: 1425892666612] [levelValue: 900]
[[
  Unrecognized cipher: TLS_RSA_WITH_AES_256_CBC_SHA]]

The next question: how is it possible to pick a cipher suite that is not
available, although the web console it was available?

And my last question: I expected to find the list of cipher suites that I
selected to be somewhere in the config directory, e.g. the domain.xml. I
wasn't able to find it though. Can anyone shed some light on as to where
this information gets stored?

Any help highly appreciated.

Cheers,
Andy


I'm testing the settings here:
https://www.ssllabs.com/ssltest/








 More unrecognized ciphers from my logfile:


TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA