Thanks for your answer. With some more testing I found that it was specifically an interaction with the current JRuby HTTPS client that causes it to fail to connect to the 9.3.7 SSL connector. Other clients worked fine. I was also able to workaround in the JRuby case by configuring ciphers as per the Mozilla "intermediate" suite, so apparently it supports more ciphers then it advertises by default. No doubt you have good reason to disable these ciphers in Jetty by default.
Yes, it will be nice if this is the only HTTP client effected by the 9.3.7 default ciphers change. —David On Wed, Jan 20, 2016 at 2:18 PM, Joakim Erdfelt <[email protected]> wrote: > The changes for SLOTH apply the configuration exclusions > for "^.*_RSA_.*_(MD5|SHA|SHA1)$" ciphers. > This eliminates the RSA + (MD5 or SHA or SHA1) ciphers from being used. > > Something that future versions of Java will do at the JVM level. > (This change will likely show up in > $JAVA_HOME/jre/lib/security/java.security like the other banned SSL/TLS > ciphers, protocols, and certificates) > > There are many production systems using Jetty 9.3.7 already, and you are > the first one to report this being an issue. > > If you feel this is invalid for your configuration, you can always > reconfigure the SslContextFactory to suit your needs. > But the error you are seeing is highly unlikely to be related to this > default configuration change. > > One website running 9.3.7.v20160115 - https://webtide.com/ > The SSL report for it (Score: A) -> > https://www.ssllabs.com/ssltest/analyze.html?d=webtide.com > > On Wed, Jan 20, 2016 at 1:11 PM, David Kellum <[email protected]> wrote: > >> My integration tests started failing when I upgraded to 9.3.7.v20160115 >> from 9.3.6. SSL connections are failing. Turning debug logging on, the >> cause appears to be this: >> >> javax.net.ssl.SSLHandshakeException: no cipher suites in common >> >> My testing is using pretty generic (ruby) SSL access, default client >> settings. >> >> Now some conjecture—looking through the available release notes: >> >> https://github.com/eclipse/jetty.project/blob/jetty-9.3.x/VERSION.txt >> >>> 485714 Update SSL configuration to mitigate SLOTH vulnerability >>> >> >> But the bugzilla issue sounds incomplete: >> >> https://bugs.eclipse.org/bugs/show_bug.cgi?id=485714#c2 >> >> …and despite the claim that the change was reverted, this at least made >> it into the release: >> >> >> https://github.com/eclipse/jetty.project/commit/0a1b0b2bc69ea7e7f5f44992f47a84f926cdeebb >> >> Please advise? Thanks. >> >> —David >> >> >> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
