Oddly enough, SSLContextFactory doesn't have an addIncludeCipherSuites()
method. I'm going to revert to 9.3.3 for now, until one of us comes up
with an answer. Mine, if I was creating the server instance
programmatically, would be to get the list of included ciphers, add
those two, and call setIncludeCipherSuites(), but I'm not sure how to
translate that to an XML config.
On 4/21/2016 4:55 PM, Joakim Erdfelt wrote:
These 2 should not have been excluded by Jetty, and should be the ones
in common for IE 8-10
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256
Those are listed as a supported cipher suite for Java 7 and Java 8
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Thu, Apr 21, 2016 at 4:15 PM, Greg Wilkins <[email protected]
<mailto:[email protected]>> wrote:
Steve,
running stock jetty-9.3 in latest java8 gives me the following
protocols and ciphers:
[TLSv1, TLSv1.1, TLSv1.2]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Following the link on ssllabs shows that IE 8-10 will only speak
SSL3.0 or TLS1.0.... so TLS1.0 it will have to be. It has the
following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2256
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy2112
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK
So there are indeed no ciphers in common!
You would think that TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256 should be
acceptable to the server as it does accept
TLS_RSA_WITH_AES_128_CBC_SHA256 ?
Let me investigate why that is not being offered....
On 22 April 2016 at 07:47, Steve Sobol - Lobos Studios
<[email protected] <mailto:[email protected]>> wrote:
> Ok. This is not cool. After the upgrade to 9.3.8 and a
modification of my
> SSLContextFactory
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd";>
>
> <!--
============================================================= -->
> <!-- SSL ContextFactory configuration -->
> <!--
============================================================= -->
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="KeyStorePath"><Property name="jetty.base" default="."
> />/keystores/www6-production-keystore.jks</Set>
> <Set
>
name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
> <Set name="TrustStorePath"><Property name="jetty.base" default="."
> />/keystores/truststore.jks</Set>
> <Set
>
name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
> <Set name="NeedClientAuth">false</Set>
> <Set name="WantClientAuth">false</Set>
> <Call name="addExcludeCipherSuites">
> <Arg>
> <Array type="String">
> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item>
> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
> </Array>
> </Arg>
> </Call>
> <Set name="useCipherSuitesOrder"><Property
> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
> </Configure>
>
> the weak cipher warnings are all gone, but the server only
speaks TLS 1.2
> now, and a the test's simulated IE 10 connection is failing. I'm
OK not
> supporting Android browsers prior to 4.4; they're old. I'm fine not
> supporting IE 6, 7, 8 and Safari browsers that are three
versions older than
> the current version (those tests all failed). But I need to
support IE 9, 10
> and 11.
>
>
https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com
>
> Also, does ANYONE know how to fix the allegedly broken
certificate chain?
>
> Thanks
>
>
>
> On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote:
>
> So in the future, if I need to update the list and am not able to
> immediately upgrade Jetty for whatever reason, I'm thinking I
should use
>
> addExcludeCipherSuites()
>
> instead, yes?
>
>
> On 4/21/2016 12:57 PM, Joakim Erdfelt wrote:
>
> When you used <Set name="ExcludeCipherSuites">
>
> You undid the existing exclusions in Jetty 9.3.3
>
>
https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259
>
> public SslContextFactory(boolean trustAll)
> {
> setTrustAll(trustAll);
> addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
> setExcludeCipherSuites(
> "SSL_RSA_WITH_DES_CBC_SHA",
> "SSL_DHE_RSA_WITH_DES_CBC_SHA",
> "SSL_DHE_DSS_WITH_DES_CBC_SHA",
> "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
> "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
> "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
> }
>
> If you use Jetty 9.3.8, you'll find the exclusion list is more
strict ...
>
>
https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255
>
> public SslContextFactory(boolean trustAll)
> {
> setTrustAll(trustAll);
> addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
> setExcludeCipherSuites(
> "^.*_RSA_.*_(MD5|SHA|SHA1)$",
> "SSL_DHE_DSS_WITH_DES_CBC_SHA",
> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
> }
>
>
> Joakim Erdfelt / [email protected] <mailto:[email protected]>
>
> On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios
> <[email protected] <mailto:[email protected]>> wrote:
>>
>> Jetty 9.3.3.v20150827
>>
>> I have two problems the Qualys SSL Test is reporting with one of my
>> Jetty-hosted websites and I'm not sure how to fix them.
>>
>> Both are preventing this website from getting an "A" rating.
I'm at a "B"
>> now.
>>
>> First: "This server supports weak Diffie-Hellman (DH) key exchange
>> parameters."
>> There were a half-dozen weak ciphers I was able to disable.
Only one is
>> still being reported active:
>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>> But I am doing this:
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd";>
>>
>> <!--
============================================================= -->
>> <!-- SSL ContextFactory configuration -->
>> <!--
============================================================= -->
>> <Configure id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>> <Set name="KeyStorePath"><Property name="jetty.base" default="."
>> />/path/to/keystore.jks</Set>
>> <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
>> <Set name="TrustStorePath"><Property name="jetty.base"
default="."
>> />/path/to/keystore.jks</Set>
>> <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
>> <Set name="NeedClientAuth">false</Set>
>> <Set name="WantClientAuth">false</Set>
>> <Set name="ExcludeCipherSuites">
>> <Array type="String">
>> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
>> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
>> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
>> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
>> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
>> </Array>
>> </Set>
>> <Set name="useCipherSuitesOrder"><Property
>> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
>> </Configure>
>>
>> I specifically exclude the cipher SSL Labs is complaining about.
>>
>> The other problem: The SSL Labs test says that my certificate
chain is
>> incomplete. But I have the Comodo certificate for the website
in the
>> server's keystore, and I have all three intermediate
certificates in the
>> truststore.
>>
>> Any ideas?
>>
>> Thanks.
>>
>>
>>
>>
>> --
>> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
>> Facebook.com/LobosStudios | @LobosStudios
>> Web Development - Mobile Development - Helpdesk/Tech Support -
Computer
>> Sales & Service
>> Acer Authorized Reseller - Computers, Windows and Android Tablets,
>> Accessories
>>
>> Steve Sobol - CEO, Senior Developer and Server Jockey
>> [email protected]
>>
>> _______________________________________________
>> jetty-users mailing list
>> [email protected] <mailto:[email protected]>
>> To change your delivery options, retrieve your password, or
unsubscribe
>> from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
>
> _______________________________________________
> jetty-users mailing list
> [email protected] <mailto:[email protected]>
> To change your delivery options, retrieve your password, or
unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech Support -
Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> [email protected]
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech Support -
Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> [email protected]
>
>
> _______________________________________________
> jetty-users mailing list
> [email protected] <mailto:[email protected]>
> To change your delivery options, retrieve your password, or
unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Greg Wilkins <[email protected] <mailto:[email protected]>> CTO
http://webtide.com
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales &
Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected]
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
