When it comes to running a server with TLS/SSL on the public internet, there is one fundamental truth.
*You have to stay up to date.* Your use of Java 1.7 means you practically have no solution left for you. Why? You are doing the right thing by excluding the vulnerable protocols: SSL, SSLv2, SSLv3, TLSv1, and TLSv1.1 That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was reserved for clients, not servers. Can you enable TLSv1.2 on Java 1.7 for servers? In some versions of Java 1.7 you can, but that support is very preliminary and has many known issues. If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider putting a more up to date SSL offloader in front of your application. Some product like haproxy, nginx, etc... and keep that product up to date! Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 support you are needing. If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have most of the TLSv1.3 support issues fixed) Joakim Erdfelt / [email protected] On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <[email protected]> wrote: > Hi, > > Please guide on how to properly deploy Diffie-Hellman on my server. I am > using Jetty 9.2.9 with jdk1.7. > > > > This is my current configuration in jetty-ssl.xml but SSL scan report > shows that “This server supports insecure Diffie-Hellman (DH) key exchange > parameters (Logjam)” > > > > <Set name="ExcludeCipherSuites"> > > <Array type="String"> > > <Item>.*NULL.*</Item> > > <Item>.*RC4.*</Item> > > <Item>.*MD5.*</Item> > > <Item>.*DES.*</Item> > > <Item>.*DSS.*</Item> > > </Array> > > </Set> > > <!-- Enable Forward Secrecy Ciphers. Note: this replaces the > default Include Cipher list --> > > <Set name="IncludeCipherSuites"> > > <Array type="String"> > > <Item>TLS_DHE_RSA.*</Item> > > <Item>TLS_ECDHE.*</Item> > > </Array> > > </Set> > > <!-- Eliminate Insecure Protocols --> > > <Call name="addExcludeProtocols"> > > <Arg> > > <Array type="java.lang.String"> > > <Item>SSL</Item> > > <Item>SSLv2</Item> > > <Item>SSLv2Hello</Item> > > <Item>SSLv3</Item> > > <Item>TLSv1</Item> > > <Item>TLSv1.1</Item> > > </Array> > > </Arg> > > </Call> > > > > Regards > > Rjc > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
