Disable SSL3 in Glasshfish

By | December 8, 2015

As we know there are big security concerns about the use of SSL3 so a lot of security audits are demanding it to be disabled in all applications that are exposed with a WEB GUI.

Disabling SSL3 can be done via the admin console.

First SSL is disabled individually on the HTTP listeners of your domain, which are found in the Configurations tree.

Follow the menu:
Configurations → server-config → HTTP Service → Http Listeners

For each of the defined listeners select the SSL tab and un-check the SSL3 option then press the Save button.

gfsec1

Second SSL is disabled individually on the IIOP listeners of your domain, which are found in the Configurations tree.

Follow the menu:
Configurations → server-config → ORB → IIOP Listeners

For each of the defined listeners select the SSL tab and uncheck the SSL3 option then press the Save button.

gfsec2

Note that under the same menu settings we can enable or disable also the ciphers used for the secure connections. It may be the case that some of the ciphers are declared unsafe or they do not meet the requirements of the internal security policies. If this is the case here we can pick and choose to be used only the ciphers we want.

Note: For some versions of glassfish the admin console is corrupting the IIOP configuration and at start-up the application server will complain with an exception as the following:

To resolve this issue edit the domain configuration:
/opt/glassfish3/glassfish/domains/appdomain/config/domain.xml

Search after the key word “lazy-init”

You will find an XML block similar to the following:

Delete the ssl tag so the block looks like :

Save the changes and restart the domain.

Advertisements