Hi, To piggyback onto what Joakim says, I would really recommend using a separate TLS termination point. It's much easier to maintain and patch as various vulnerabilities in the protocol are made public and fixed.
And as he says, *stay updated*. Both the server OS and any packages/programs listening on public-facing ports. Best, Zalan Meggyesi Chief Support Engineer Skawa Innovation Kft. Phone: 0036704627005 Mobile: +36205146666 On Mon, Sep 23, 2019 at 2:28 PM Joakim Erdfelt <[email protected]> wrote: > When it comes to running a server with TLS/SSL on the public internet, > there is one fundamental truth. > > *You have to stay up to date.* > > Your use of Java 1.7 means you practically have no solution left for you. > > Why? > You are doing the right thing by excluding the vulnerable protocols: SSL, > SSLv2, SSLv3, TLSv1, and TLSv1.1 > That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was > reserved for clients, not servers. > > Can you enable TLSv1.2 on Java 1.7 for servers? > In some versions of Java 1.7 you can, but that support is very preliminary > and has many known issues. > > If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider > putting a more up to date SSL offloader in front of your application. > Some product like haproxy, nginx, etc... and keep that product up to date! > > Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 > support you are needing. > > If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have > most of the TLSv1.3 support issues fixed) > > Joakim Erdfelt / [email protected] > > > On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <[email protected]> wrote: > >> Hi, >> >> Please guide on how to properly deploy Diffie-Hellman on my server. I am >> using Jetty 9.2.9 with jdk1.7. >> >> >> >> This is my current configuration in jetty-ssl.xml but SSL scan report >> shows that “This server supports insecure Diffie-Hellman (DH) key exchange >> parameters (Logjam)” >> >> >> >> <Set name="ExcludeCipherSuites"> >> >> <Array type="String"> >> >> <Item>.*NULL.*</Item> >> >> <Item>.*RC4.*</Item> >> >> <Item>.*MD5.*</Item> >> >> <Item>.*DES.*</Item> >> >> <Item>.*DSS.*</Item> >> >> </Array> >> >> </Set> >> >> <!-- Enable Forward Secrecy Ciphers. Note: this replaces the >> default Include Cipher list --> >> >> <Set name="IncludeCipherSuites"> >> >> <Array type="String"> >> >> <Item>TLS_DHE_RSA.*</Item> >> >> <Item>TLS_ECDHE.*</Item> >> >> </Array> >> >> </Set> >> >> <!-- Eliminate Insecure Protocols --> >> >> <Call name="addExcludeProtocols"> >> >> <Arg> >> >> <Array type="java.lang.String"> >> >> <Item>SSL</Item> >> >> <Item>SSLv2</Item> >> >> <Item>SSLv2Hello</Item> >> >> <Item>SSLv3</Item> >> >> <Item>TLSv1</Item> >> >> <Item>TLSv1.1</Item> >> >> </Array> >> >> </Arg> >> >> </Call> >> >> >> >> Regards >> >> Rjc >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
