Re: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?

Wed, 05 Feb 2020 23:47:40 -0800 

I just added file <JETTY_BASE>/etc/tweak-ssl.xml to enable all the TLS
versions, like the below,
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
          "http://www.eclipse.org/jetty/configure_9_3.dtd";>
<!-- Tweak SsslContextFactory Includes / Excludes -->
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
    <Set name="IncludeProtocols">
        <Array type="String">
            <Item>TLSv1</Item>
            <Item>TLSv1.1</Item>
            <Item>TLSv1.2</Item>
            <Item>TLSv1.3</Item>
        </Array>
    </Set>
</Configure>

And also took <JETTY_BASE>/start.ini to have the below lines,
# ---------------------------------------
# Module: https
# Adds HTTPS protocol support to the TLS(SSL) Connector
# ---------------------------------------
--module=https
etc/tweak-ssl.xml

But my OpenSSL s_client still received fatal alert protocol_version.
After turned on the JSSE debug with JDK system property
-Djavax.net.debug=all, I saw the below exception,
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 is
not enabled or supported in server context

I suppose JDK (using 11.0.5) doesn't disable TLSv1.1.
Could any other Jetty configuration affect this point?

On Thu, Feb 6, 2020 at 1:47 PM John Jiang <[email protected]> wrote:

> Hi,
> I'm using Jetty 10.0.0 alpha1.
>
> With my testing, it looks TLSv1 and TLSv1.1 are disabled in this version.
> I used OpenSSL s_client to connect the Jetty server via TLS.
> If specified TLSv1.2 or TLSv1.3, the handshaking finished successfully.
> However, when TLSv1 or TLSv1.1 were specified, the handshaking failed.
>
> But with the server dump, it looked the older TLS versions are enabled, as
> shown as the below,
> |  += SslConnectionFactory@4e50c791{SSL->alpn} - STARTED
> |  |  += 
> Server@2826f61[provider=null,keyStore=file:///path/to/etc/keystore,trustStore=file:///path/to/etc/keystore]
> - STARTED
> |  |     +> trustAll=false
> |  |     +> Protocol Selections
> |  |     |  +> Enabled size=4
> |  |     |  |  +> TLSv1
> |  |     |  |  +> TLSv1.1
> |  |     |  |  +> TLSv1.2
> |  |     |  |  +> TLSv1.3
> |  |     |  +> Disabled size=2
> |  |     |     +> SSLv2Hello - ConfigExcluded:'SSLv2Hello' JVM:disabled
> |  |     |     +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled
>
> What's something I missed?
> I didn't meet this problem with Jetty 9.4.
>
> Thanks!
>

_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to