Well yeah, that's the thing, I do have them. With Apache I just have
them bundled in a single file and I use the SSLCertificateChainFile
directive (I believe) to point to them. I tried putting the CA certs in
the truststore. Didn't work. Tried putting them in the keystore with the
website certs. Didn't work.
So, I'm a little lost. :(
Thanks :)
On 4/22/2016 10:49 AM, Peter Ondruška wrote:
According to Qualsys you are missing certificates listed in
Certification Paths, are you really sure you have them? Your server
only provides the server certificate and hence the error/warning.
On 22 April 2016 at 15:51, Steve Sobol - Lobos Studios
<[email protected] <mailto:[email protected]>> wrote:
Yes. It doesn't work with Qualys, and openssl s_client is
reporting error 21, unable to verify the first certiicate.
Also, I grabbed the list of supported certificate from the logs,
and I put them into my SSLContextFactory config and added the two
missing ones, and it doesn't matter - TLS 1.0 is still not available.
Tried putting all of the CA certs in the keystore with the website
certs, too. No love.
On 4/21/2016 11:23 PM, Peter Ondruška wrote:
As for the broken certificate chain, are you sure you included
all the certificates in chain (including root, all intermediaries)?
On 21 April 2016 at 23:47, Steve Sobol - Lobos Studios
<[email protected] <mailto:[email protected]>> wrote:
Ok. This is not cool. After the upgrade to 9.3.8 and a
modification of my SSLContextFactory
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd";
<http://www.eclipse.org/jetty/configure_9_3.dtd>>
<!--
============================================================= -->
<!-- SSL ContextFactory configuration -->
<!--
============================================================= -->
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base"
default="." />/keystores/www6-production-keystore.jks</Set>
<Set
name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
<Set name="TrustStorePath"><Property name="jetty.base"
default="." />/keystores/truststore.jks</Set>
<Set
name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
<Set name="NeedClientAuth">false</Set>
<Set name="WantClientAuth">false</Set>
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
</Array>
</Arg>
</Call>
<Set name="useCipherSuitesOrder"><Property
name="jetty.sslContext.useCipherSuitesOrder"
default="true"/></Set>
</Configure>
the weak cipher warnings are all gone, but the server only
speaks TLS 1.2 now, and a the test's simulated IE 10
connection is failing. I'm OK not supporting Android browsers
prior to 4.4; they're old. I'm fine not supporting IE 6, 7, 8
and Safari browsers that are three versions older than the
current version (those tests all failed). But I need to
support IE 9, 10 and 11.
https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com
Also, does ANYONE know how to fix the allegedly broken
certificate chain?
Thanks
On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote:
So in the future, if I need to update the list and am not
able to immediately upgrade Jetty for whatever reason, I'm
thinking I should use
addExcludeCipherSuites()
instead, yes?
On 4/21/2016 12:57 PM, Joakim Erdfelt wrote:
When you used <Set name="ExcludeCipherSuites">
You undid the existing exclusions in Jetty 9.3.3
https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259
public SslContextFactory(boolean trustAll)
{
setTrustAll(trustAll);
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
setExcludeCipherSuites(
"SSL_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_RSA_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_RSA_EXPORT_WITH_RC4_40_MD5",
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
}
If you use Jetty 9.3.8, you'll find the exclusion list is
more strict ...
https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255
public SslContextFactory(boolean trustAll)
{
setTrustAll(trustAll);
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
setExcludeCipherSuites(
"^.*_RSA_.*_(MD5|SHA|SHA1)$",
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
}
Joakim Erdfelt / [email protected] <mailto:[email protected]>
On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos
Studios <[email protected]
<mailto:[email protected]>> wrote:
Jetty 9.3.3.v20150827
I have two problems the Qualys SSL Test is reporting
with one of my Jetty-hosted websites and I'm not sure
how to fix them.
Both are preventing this website from getting an "A"
rating. I'm at a "B" now.
First: "This server supports weak Diffie-Hellman (DH)
key exchange parameters."
There were a half-dozen weak ciphers I was able to
disable. Only one is still being reported active:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
But I am doing this:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure_9_3.dtd";>
<!--
=============================================================
-->
<!-- SSL ContextFactory configuration -->
<!--
=============================================================
-->
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath"><Property name="jetty.base"
default="." />/path/to/keystore.jks</Set>
<Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
<Set name="TrustStorePath"><Property
name="jetty.base" default="." />/path/to/keystore.jks</Set>
<Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
<Set name="NeedClientAuth">false</Set>
<Set name="WantClientAuth">false</Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
</Array>
</Set>
<Set name="useCipherSuitesOrder"><Property
name="jetty.sslContext.useCipherSuitesOrder"
default="true"/></Set>
</Configure>
I specifically exclude the cipher SSL Labs is
complaining about.
The other problem: The SSL Labs test says that my
certificate chain is incomplete. But I have the Comodo
certificate for the website in the server's keystore,
and I have all three intermediate certificates in the
truststore.
Any ideas?
Thanks.
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com
| Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech
Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and
Android Tablets, Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected] <mailto:[email protected]>
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your
password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer
Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets,
Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected] <mailto:[email protected]>
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer
Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets,
Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected] <mailto:[email protected]>
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
kaibo, s.r.o., ID 28435036, registered with the commercial
register administered by the Municipal Court in Prague, section
C, insert 141269.
Registered office and postal address: kaibo, s.r.o., Kališnická
379/10, Prague 3, 130 00, Czech Republic.
https://www.kaibo.eu
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or unsubscribe
from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales
& Service
Acer Authorized Reseller - Computers, Windows and Android Tablets,
Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected] <mailto:[email protected]>
_______________________________________________
jetty-users mailing list
[email protected] <mailto:[email protected]>
To change your delivery options, retrieve your password, or
unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
kaibo, s.r.o., ID 28435036, registered with the commercial register
administered by the Municipal Court in Prague, section C, insert 141269.
Registered office and postal address: kaibo, s.r.o., Kališnická
379/10, Prague 3, 130 00, Czech Republic.
https://www.kaibo.eu
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales &
Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories
Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected]
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
