I got it. The TLSv1 and TLSv1.1 cipher suites are disabled by default.
The below configuration is working for me.
<Configure id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<Set name="IncludeProtocols">
<Array type="String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
</Array>
</Set>
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS_RSA.*</Item>
<Item>TLS_DHE.*</Item>
<Item>TLS_ECDHE.*</Item>
<Item>TLS_AES.*</Item>
</Array>
</Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>TLS_ECDH_.*</Item>
</Array>
</Set>
</Configure>
On Thu, Feb 6, 2020 at 3:46 PM John Jiang <[email protected]> wrote:
> I just added file <JETTY_BASE>/etc/tweak-ssl.xml to enable all the TLS
> versions, like the below,
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd";>
> <!-- Tweak SsslContextFactory Includes / Excludes -->
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
> <Set name="IncludeProtocols">
> <Array type="String">
> <Item>TLSv1</Item>
> <Item>TLSv1.1</Item>
> <Item>TLSv1.2</Item>
> <Item>TLSv1.3</Item>
> </Array>
> </Set>
> </Configure>
>
> And also took <JETTY_BASE>/start.ini to have the below lines,
> # ---------------------------------------
> # Module: https
> # Adds HTTPS protocol support to the TLS(SSL) Connector
> # ---------------------------------------
> --module=https
> etc/tweak-ssl.xml
>
> But my OpenSSL s_client still received fatal alert protocol_version.
> After turned on the JSSE debug with JDK system property
> -Djavax.net.debug=all, I saw the below exception,
> javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 is
> not enabled or supported in server context
>
> I suppose JDK (using 11.0.5) doesn't disable TLSv1.1.
> Could any other Jetty configuration affect this point?
>
> On Thu, Feb 6, 2020 at 1:47 PM John Jiang <[email protected]>
> wrote:
>
>> Hi,
>> I'm using Jetty 10.0.0 alpha1.
>>
>> With my testing, it looks TLSv1 and TLSv1.1 are disabled in this version.
>> I used OpenSSL s_client to connect the Jetty server via TLS.
>> If specified TLSv1.2 or TLSv1.3, the handshaking finished successfully.
>> However, when TLSv1 or TLSv1.1 were specified, the handshaking failed.
>>
>> But with the server dump, it looked the older TLS versions are enabled,
>> as shown as the below,
>> | += SslConnectionFactory@4e50c791{SSL->alpn} - STARTED
>> | | +=
>> Server@2826f61[provider=null,keyStore=file:///path/to/etc/keystore,trustStore=file:///path/to/etc/keystore]
>> - STARTED
>> | | +> trustAll=false
>> | | +> Protocol Selections
>> | | | +> Enabled size=4
>> | | | | +> TLSv1
>> | | | | +> TLSv1.1
>> | | | | +> TLSv1.2
>> | | | | +> TLSv1.3
>> | | | +> Disabled size=2
>> | | | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello' JVM:disabled
>> | | | +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled
>>
>> What's something I missed?
>> I didn't meet this problem with Jetty 9.4.
>>
>> Thanks!
>>
>
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
