Enable the debug logging for SslContextFactory and you should see the list of selected ciphers when your server starts up.
Joakim Erdfelt / [email protected] On Thu, Apr 21, 2016 at 5:07 PM, Steve Sobol - Lobos Studios < [email protected]> wrote: > Oddly enough, SSLContextFactory doesn't have an addIncludeCipherSuites() > method. I'm going to revert to 9.3.3 for now, until one of us comes up with > an answer. Mine, if I was creating the server instance programmatically, > would be to get the list of included ciphers, add those two, and call > setIncludeCipherSuites(), but I'm not sure how to translate that to an XML > config. > > On 4/21/2016 4:55 PM, Joakim Erdfelt wrote: > > These 2 should not have been excluded by Jetty, and should be the ones in > common for IE 8-10 > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128 > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256 > > Those are listed as a supported cipher suite for Java 7 and Java 8 > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html > > > Joakim Erdfelt / <[email protected]>[email protected] > > On Thu, Apr 21, 2016 at 4:15 PM, Greg Wilkins <[email protected]> wrote: > >> Steve, >> >> running stock jetty-9.3 in latest java8 gives me the following >> protocols and ciphers: >> >> [TLSv1, TLSv1.1, TLSv1.2] >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >> TLS_RSA_WITH_AES_128_CBC_SHA256 >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA >> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >> TLS_RSA_WITH_AES_128_GCM_SHA256 >> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 >> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 >> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 >> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA >> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA >> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA >> TLS_ECDHE_ECDSA_WITH_RC4_128_SHA >> TLS_ECDH_ECDSA_WITH_RC4_128_SHA >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >> >> >> Following the link on ssllabs shows that IE 8-10 will only speak >> SSL3.0 or TLS1.0.... so TLS1.0 it will have to be. It has the >> following ciphers: >> >> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128 >> TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256 >> TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128 >> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112 >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy128 >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy256 >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128 >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256 >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2128 >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2256 >> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy2112 >> TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK >> >> >> So there are indeed no ciphers in common! >> >> You would think that TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256 should be >> acceptable to the server as it does accept >> TLS_RSA_WITH_AES_128_CBC_SHA256 ? >> >> Let me investigate why that is not being offered.... >> >> >> >> >> >> >> On 22 April 2016 at 07:47, Steve Sobol - Lobos Studios >> <[email protected]> wrote: >> > Ok. This is not cool. After the upgrade to 9.3.8 and a modification of >> my >> > SSLContextFactory >> > >> > <?xml version="1.0"?> >> > <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" >> > "http://www.eclipse.org/jetty/configure_9_3.dtd";> >> > >> > <!-- ============================================================= --> >> > <!-- SSL ContextFactory configuration --> >> > <!-- ============================================================= --> >> > <Configure id="sslContextFactory" >> > class="org.eclipse.jetty.util.ssl.SslContextFactory"> >> > <Set name="KeyStorePath"><Property name="jetty.base" default="." >> > />/keystores/www6-production-keystore.jks</Set> >> > <Set >> > >> name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set> >> > <Set name="TrustStorePath"><Property name="jetty.base" default="." >> > />/keystores/truststore.jks</Set> >> > <Set >> > >> name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set> >> > <Set name="NeedClientAuth">false</Set> >> > <Set name="WantClientAuth">false</Set> >> > <Call name="addExcludeCipherSuites"> >> > <Arg> >> > <Array type="String"> >> > <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item> >> > <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> >> > </Array> >> > </Arg> >> > </Call> >> > <Set name="useCipherSuitesOrder"><Property >> > name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> >> > </Configure> >> > >> > the weak cipher warnings are all gone, but the server only speaks TLS >> 1.2 >> > now, and a the test's simulated IE 10 connection is failing. I'm OK not >> > supporting Android browsers prior to 4.4; they're old. I'm fine not >> > supporting IE 6, 7, 8 and Safari browsers that are three versions older >> than >> > the current version (those tests all failed). But I need to support IE >> 9, 10 >> > and 11. >> > >> > >> https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com >> > >> > Also, does ANYONE know how to fix the allegedly broken certificate >> chain? >> > >> > Thanks >> > >> > >> > >> > On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote: >> > >> > So in the future, if I need to update the list and am not able to >> > immediately upgrade Jetty for whatever reason, I'm thinking I should use >> > >> > addExcludeCipherSuites() >> > >> > instead, yes? >> > >> > >> > On 4/21/2016 12:57 PM, Joakim Erdfelt wrote: >> > >> > When you used <Set name="ExcludeCipherSuites"> >> > >> > You undid the existing exclusions in Jetty 9.3.3 >> > >> > >> https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259 >> > >> > public SslContextFactory(boolean trustAll) >> > { >> > setTrustAll(trustAll); >> > addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); >> > setExcludeCipherSuites( >> > "SSL_RSA_WITH_DES_CBC_SHA", >> > "SSL_DHE_RSA_WITH_DES_CBC_SHA", >> > "SSL_DHE_DSS_WITH_DES_CBC_SHA", >> > "SSL_RSA_EXPORT_WITH_RC4_40_MD5", >> > "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", >> > "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", >> > "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); >> > } >> > >> > If you use Jetty 9.3.8, you'll find the exclusion list is more strict >> ... >> > >> > >> https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255 >> > >> > public SslContextFactory(boolean trustAll) >> > { >> > setTrustAll(trustAll); >> > addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); >> > setExcludeCipherSuites( >> > "^.*_RSA_.*_(MD5|SHA|SHA1)$", >> > "SSL_DHE_DSS_WITH_DES_CBC_SHA", >> > "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); >> > } >> > >> > >> > Joakim Erdfelt / [email protected] >> > >> > On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios >> > <[email protected]> wrote: >> >> >> >> Jetty 9.3.3.v20150827 >> >> >> >> I have two problems the Qualys SSL Test is reporting with one of my >> >> Jetty-hosted websites and I'm not sure how to fix them. >> >> >> >> Both are preventing this website from getting an "A" rating. I'm at a >> "B" >> >> now. >> >> >> >> First: "This server supports weak Diffie-Hellman (DH) key exchange >> >> parameters." >> >> There were a half-dozen weak ciphers I was able to disable. Only one is >> >> still being reported active: >> >> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >> >> >> >> But I am doing this: >> >> <?xml version="1.0"?> >> >> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" >> >> "http://www.eclipse.org/jetty/configure_9_3.dtd";> >> >> >> >> <!-- ============================================================= --> >> >> <!-- SSL ContextFactory configuration --> >> >> <!-- ============================================================= --> >> >> <Configure id="sslContextFactory" >> >> class="org.eclipse.jetty.util.ssl.SslContextFactory"> >> >> <Set name="KeyStorePath"><Property name="jetty.base" default="." >> >> />/path/to/keystore.jks</Set> >> >> <Set name="KeyStorePassword">OBF:NoneYoBizness</Set> >> >> <Set name="TrustStorePath"><Property name="jetty.base" default="." >> >> />/path/to/keystore.jks</Set> >> >> <Set name="TrustStorePassword">OBF:NoneYoBizness</Set> >> >> <Set name="NeedClientAuth">false</Set> >> >> <Set name="WantClientAuth">false</Set> >> >> <Set name="ExcludeCipherSuites"> >> >> <Array type="String"> >> >> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> >> >> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> >> >> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> >> >> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> >> >> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> >> >> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> >> >> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> >> >> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> >> >> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> >> >> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> >> >> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> >> >> </Array> >> >> </Set> >> >> <Set name="useCipherSuitesOrder"><Property >> >> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> >> >> </Configure> >> >> >> >> I specifically exclude the cipher SSL Labs is complaining about. >> >> >> >> The other problem: The SSL Labs test says that my certificate chain is >> >> incomplete. But I have the Comodo certificate for the website in the >> >> server's keystore, and I have all three intermediate certificates in >> the >> >> truststore. >> >> >> >> Any ideas? >> >> >> >> Thanks. >> >> >> >> >> >> >> >> >> >> -- >> >> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | >> >> Facebook.com/LobosStudios | @LobosStudios >> >> Web Development - Mobile Development - Helpdesk/Tech Support - Computer >> >> Sales & Service >> >> Acer Authorized Reseller - Computers, Windows and Android Tablets, >> >> Accessories >> >> >> >> Steve Sobol - CEO, Senior Developer and Server Jockey >> >> [email protected] >> >> >> >> _______________________________________________ >> >> jetty-users mailing list >> >> [email protected] >> >> To change your delivery options, retrieve your password, or unsubscribe >> >> from this list, visit >> >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >> > >> > >> > >> > _______________________________________________ >> > jetty-users mailing list >> > [email protected] >> > To change your delivery options, retrieve your password, or unsubscribe >> from >> > this list, visit >> > https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >> > >> > -- >> > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | >> > Facebook.com/LobosStudios | @LobosStudios >> > Web Development - Mobile Development - Helpdesk/Tech Support - Computer >> > Sales & Service >> > Acer Authorized Reseller - Computers, Windows and Android Tablets, >> > Accessories >> > >> > Steve Sobol - CEO, Senior Developer and Server Jockey >> > [email protected] >> > >> > >> > -- >> > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | >> > Facebook.com/LobosStudios | @LobosStudios >> > Web Development - Mobile Development - Helpdesk/Tech Support - Computer >> > Sales & Service >> > Acer Authorized Reseller - Computers, Windows and Android Tablets, >> > Accessories >> > >> > Steve Sobol - CEO, Senior Developer and Server Jockey >> > [email protected] >> > >> > >> > _______________________________________________ >> > jetty-users mailing list >> > [email protected] >> > To change your delivery options, retrieve your password, or unsubscribe >> from >> > this list, visit >> > https://dev.eclipse.org/mailman/listinfo/jetty-users >> >> >> >> -- >> Greg Wilkins <[email protected]> CTO http://webtide.com >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > > _______________________________________________ > jetty-users mailing [email protected] > To change your delivery options, retrieve your password, or unsubscribe from > this list, visithttps://dev.eclipse.org/mailman/listinfo/jetty-users > > > -- > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | > Facebook.com/LobosStudios | @LobosStudios > Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales > & Service > Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories > > Steve Sobol - CEO, Senior Developer and Server [email protected] > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
