These 2 should not have been excluded by Jetty, and should be
the ones in common for IE 8-10
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward Secrecy128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward Secrecy256
Those are listed as a supported cipher suite for Java 7 and Java 8
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Thu, Apr 21, 2016 at 4:15 PM, Greg Wilkins
<[email protected]> wrote:
Steve,
running stock jetty-9.3 in latest java8 gives me the following
protocols and ciphers:
[TLSv1, TLSv1.1, TLSv1.2]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Following the link on ssllabs shows that IE 8-10 will only speak
SSL3.0 or TLS1.0.... so TLS1.0 it will have to be. It has the
following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Forward Secrecy128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Forward Secrecy256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Forward
Secrecy128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Forward
Secrecy256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32) Forward Secrecy2128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38) Forward Secrecy2256
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13) Forward Secrecy2112
TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK
So there are indeed no ciphers in common!
You would think that TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256
should be
acceptable to the server as it does accept
TLS_RSA_WITH_AES_128_CBC_SHA256 ?
Let me investigate why that is not being offered....
On 22 April 2016 at 07:47, Steve Sobol - Lobos Studios
<[email protected] <mailto:[email protected]>> wrote:
> Ok. This is not cool. After the upgrade to 9.3.8 and a
modification of my
> SSLContextFactory
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd";>
>
> <!--
=============================================================
-->
> <!-- SSL ContextFactory configuration -->
> <!--
=============================================================
-->
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="KeyStorePath"><Property name="jetty.base"
default="."
> />/keystores/www6-production-keystore.jks</Set>
> <Set
>
name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
> <Set name="TrustStorePath"><Property name="jetty.base"
default="."
> />/keystores/truststore.jks</Set>
> <Set
>
name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
> <Set name="NeedClientAuth">false</Set>
> <Set name="WantClientAuth">false</Set>
> <Call name="addExcludeCipherSuites">
> <Arg>
> <Array type="String">
> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item>
> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
> </Array>
> </Arg>
> </Call>
> <Set name="useCipherSuitesOrder"><Property
> name="jetty.sslContext.useCipherSuitesOrder"
default="true"/></Set>
> </Configure>
>
> the weak cipher warnings are all gone, but the server only
speaks TLS 1.2
> now, and a the test's simulated IE 10 connection is
failing. I'm OK not
> supporting Android browsers prior to 4.4; they're old. I'm
fine not
> supporting IE 6, 7, 8 and Safari browsers that are three
versions older than
> the current version (those tests all failed). But I need
to support IE 9, 10
> and 11.
>
>
https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com
>
> Also, does ANYONE know how to fix the allegedly broken
certificate chain?
>
> Thanks
>
>
>
> On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote:
>
> So in the future, if I need to update the list and am not
able to
> immediately upgrade Jetty for whatever reason, I'm
thinking I should use
>
> addExcludeCipherSuites()
>
> instead, yes?
>
>
> On 4/21/2016 12:57 PM, Joakim Erdfelt wrote:
>
> When you used <Set name="ExcludeCipherSuites">
>
> You undid the existing exclusions in Jetty 9.3.3
>
>
https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259
>
> public SslContextFactory(boolean trustAll)
> {
> setTrustAll(trustAll);
> addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello",
"SSLv3");
> setExcludeCipherSuites(
> "SSL_RSA_WITH_DES_CBC_SHA",
> "SSL_DHE_RSA_WITH_DES_CBC_SHA",
> "SSL_DHE_DSS_WITH_DES_CBC_SHA",
> "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
> "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
> "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
> }
>
> If you use Jetty 9.3.8, you'll find the exclusion list is
more strict ...
>
>
https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255
>
> public SslContextFactory(boolean trustAll)
> {
> setTrustAll(trustAll);
> addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello",
"SSLv3");
> setExcludeCipherSuites(
> "^.*_RSA_.*_(MD5|SHA|SHA1)$",
> "SSL_DHE_DSS_WITH_DES_CBC_SHA",
> "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
> }
>
>
> Joakim Erdfelt / [email protected]
>
> On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios
> <[email protected] <mailto:[email protected]>>
wrote:
>>
>> Jetty 9.3.3.v20150827
>>
>> I have two problems the Qualys SSL Test is reporting with
one of my
>> Jetty-hosted websites and I'm not sure how to fix them.
>>
>> Both are preventing this website from getting an "A"
rating. I'm at a "B"
>> now.
>>
>> First: "This server supports weak Diffie-Hellman (DH) key
exchange
>> parameters."
>> There were a half-dozen weak ciphers I was able to
disable. Only one is
>> still being reported active:
>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>> But I am doing this:
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd";>
>>
>> <!--
=============================================================
-->
>> <!-- SSL ContextFactory configuration -->
>> <!--
=============================================================
-->
>> <Configure id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>> <Set name="KeyStorePath"><Property name="jetty.base"
default="."
>> />/path/to/keystore.jks</Set>
>> <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
>> <Set name="TrustStorePath"><Property name="jetty.base"
default="."
>> />/path/to/keystore.jks</Set>
>> <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
>> <Set name="NeedClientAuth">false</Set>
>> <Set name="WantClientAuth">false</Set>
>> <Set name="ExcludeCipherSuites">
>> <Array type="String">
>> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
>> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
>> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
>> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
>> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
>> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
>> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
>> </Array>
>> </Set>
>> <Set name="useCipherSuitesOrder"><Property
>> name="jetty.sslContext.useCipherSuitesOrder"
default="true"/></Set>
>> </Configure>
>>
>> I specifically exclude the cipher SSL Labs is complaining
about.
>>
>> The other problem: The SSL Labs test says that my
certificate chain is
>> incomplete. But I have the Comodo certificate for the
website in the
>> server's keystore, and I have all three intermediate
certificates in the
>> truststore.
>>
>> Any ideas?
>>
>> Thanks.
>>
>>
>>
>>
>> --
>> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
>> Facebook.com/LobosStudios | @LobosStudios
>> Web Development - Mobile Development - Helpdesk/Tech
Support - Computer
>> Sales & Service
>> Acer Authorized Reseller - Computers, Windows and Android
Tablets,
>> Accessories
>>
>> Steve Sobol - CEO, Senior Developer and Server Jockey
>> [email protected] <mailto:[email protected]>
>>
>> _______________________________________________
>> jetty-users mailing list
>> [email protected] <mailto:[email protected]>
>> To change your delivery options, retrieve your password,
or unsubscribe
>> from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
>
> _______________________________________________
> jetty-users mailing list
> [email protected] <mailto:[email protected]>
> To change your delivery options, retrieve your password,
or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech
Support - Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android
Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> [email protected] <mailto:[email protected]>
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech
Support - Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android
Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> [email protected] <mailto:[email protected]>
>
>
> _______________________________________________
> jetty-users mailing list
> [email protected] <mailto:[email protected]>
> To change your delivery options, retrieve your password,
or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Greg Wilkins <[email protected] <mailto:[email protected]>>
CTO http://webtide.com
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
