I'm just a Jetty user, but if I were in charge, I would have disabled TLS 1 and 1.1 by default in the latest release because they are now officially insecure. Please see the SSL Labs announcement from 2018: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols
I spent a fair amount of time last quarter figuring out how to securely support IE11/Win7 without TLS 1 and 1.1. My notes are here: https://github.com/GlenKPeterson/http2-server-jar-sample Thank you, Jetty powers-that-be, for making what I consider to be a very appropriate and timely decision about disabling insecure protocols. On Thu, Feb 6, 2020 at 7:10 AM John Jiang <[email protected]> wrote: > I got it. The TLSv1 and TLSv1.1 cipher suites are disabled by default. > The below configuration is working for me. > <Configure id="sslContextFactory" > class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> > <Set name="IncludeProtocols"> > <Array type="String"> > <Item>TLSv1</Item> > <Item>TLSv1.1</Item> > <Item>TLSv1.2</Item> > <Item>TLSv1.3</Item> > </Array> > </Set> > <Set name="IncludeCipherSuites"> > <Array type="String"> > <Item>TLS_RSA.*</Item> > <Item>TLS_DHE.*</Item> > <Item>TLS_ECDHE.*</Item> > <Item>TLS_AES.*</Item> > </Array> > </Set> > <Set name="ExcludeCipherSuites"> > <Array type="String"> > <Item>TLS_ECDH_.*</Item> > </Array> > </Set> > </Configure> > > On Thu, Feb 6, 2020 at 3:46 PM John Jiang <[email protected]> > wrote: > >> I just added file <JETTY_BASE>/etc/tweak-ssl.xml to enable all the TLS >> versions, like the below, >> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" >> "http://www.eclipse.org/jetty/configure_9_3.dtd";> >> <!-- Tweak SsslContextFactory Includes / Excludes --> >> <Configure id="sslContextFactory" >> class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> >> <Set name="IncludeProtocols"> >> <Array type="String"> >> <Item>TLSv1</Item> >> <Item>TLSv1.1</Item> >> <Item>TLSv1.2</Item> >> <Item>TLSv1.3</Item> >> </Array> >> </Set> >> </Configure> >> >> And also took <JETTY_BASE>/start.ini to have the below lines, >> # --------------------------------------- >> # Module: https >> # Adds HTTPS protocol support to the TLS(SSL) Connector >> # --------------------------------------- >> --module=https >> etc/tweak-ssl.xml >> >> But my OpenSSL s_client still received fatal alert protocol_version. >> After turned on the JSSE debug with JDK system property >> -Djavax.net.debug=all, I saw the below exception, >> javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 is >> not enabled or supported in server context >> >> I suppose JDK (using 11.0.5) doesn't disable TLSv1.1. >> Could any other Jetty configuration affect this point? >> >> On Thu, Feb 6, 2020 at 1:47 PM John Jiang <[email protected]> >> wrote: >> >>> Hi, >>> I'm using Jetty 10.0.0 alpha1. >>> >>> With my testing, it looks TLSv1 and TLSv1.1 are disabled in this version. >>> I used OpenSSL s_client to connect the Jetty server via TLS. >>> If specified TLSv1.2 or TLSv1.3, the handshaking finished successfully. >>> However, when TLSv1 or TLSv1.1 were specified, the handshaking failed. >>> >>> But with the server dump, it looked the older TLS versions are enabled, >>> as shown as the below, >>> | += SslConnectionFactory@4e50c791{SSL->alpn} - STARTED >>> | | += >>> Server@2826f61[provider=null,keyStore=file:///path/to/etc/keystore,trustStore=file:///path/to/etc/keystore] >>> - STARTED >>> | | +> trustAll=false >>> | | +> Protocol Selections >>> | | | +> Enabled size=4 >>> | | | | +> TLSv1 >>> | | | | +> TLSv1.1 >>> | | | | +> TLSv1.2 >>> | | | | +> TLSv1.3 >>> | | | +> Disabled size=2 >>> | | | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello' JVM:disabled >>> | | | +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled >>> >>> What's something I missed? >>> I didn't meet this problem with Jetty 9.4. >>> >>> Thanks! >>> >> _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users -- Glen K. Peterson (828) 393-0081
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
