Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310

FYI. 
I found the problem was NOT with Jetty, but rather with the new JRE I'm using.
In Java1.8_u31, SSLv3 is disabled. 
You can see this in:
	jre/lib/security/java.security - jdk.tls.disabledAlgorithms=SSLv3

When I deleted that property and restarted my application, Jetty was able to use SSLv3.

-----Original Message-----
From: jetty-users-bounces@xxxxxxxxxxx [mailto:jetty-users-bounces@xxxxxxxxxxx] On Behalf Of jetty-users-request@xxxxxxxxxxx
Sent: Thursday, April 09, 2015 10:00 AM
To: jetty-users@xxxxxxxxxxx
Subject: jetty-users Digest, Vol 71, Issue 6

Today's Topics:

   1. Can't enable SSLv3 in 9.2.10.v20150310
      (Grimm, Michael J (HPCS-R&D))
   2. Re: Can't enable SSLv3 in 9.2.10.v20150310 (Lothar Kimmeringer)
   3. Re: Can't enable SSLv3 in 9.2.10.v20150310
      (Grimm, Michael J (HPCS-R&D))
   4. Re: Can't enable SSLv3 in 9.2.10.v20150310 (Simone Bordet)

----------------------------------------------------------------------

Message: 1
Date: Wed, 8 Apr 2015 18:06:00 +0000
From: "Grimm, Michael J (HPCS-R&D)" <grimm@xxxxxx>
To: "jetty-users@xxxxxxxxxxx" <jetty-users@xxxxxxxxxxx>
Subject: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
	<41551CEE2042A8479E4048BE0E3B7A85A2B4495A@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
	
Content-Type: text/plain; charset="us-ascii"

Hi guys,
I'm using jetty in an embedded application.
Jetty 9.2.10 has SSLv3 disabled by default.

I create an sslContextFactory and set the appropriate properties:

sslContextFactory.setIncludeProtocols("SSLv3", "TLSv1", "TLSv1.2", "TLSv1.1");

I then use the sslContextFactory in the connectionFactory:

SslContextFactory sslContextFactory = createSslContextFactory();//set all sslContextFactory props here HttpConfiguration https_config = new HttpConfiguration(); https_config.addCustomizer(new SecureRequestCustomizer()); SslConnectionFactory sslConnFact = new SslConnectionFactory(sslContextFactory, "http/1.1"); ServerConnector https = new ServerConnector(jetty, sslConnFact, new HttpConnectionFactory(https_config));
jetty.addConnector(https);
jetty.start();

Unfortunately, when I test the jetty server with TestSSLServer.jar (which I found online), the output does NOT list SSLv3!

D:\temp> java -jar TestSSLServer.jar localhost 7906 Supported versions: TLSv1.0 TLSv1.1 TLSv1.2

If I only "include" SSLv3, the JettyServer will refuse to negotiate any connections:
sslContextFactory.setIncludeProtocols("SSLv3");

If I only "include" TLSv1, the TestSSLServer.jar shows: (Supported versions: TLSv1.0) sslContextFactory.setIncludeProtocols("TLSv1");


NOTE: before upgrading to 9.2.10, I used 9.2.3 (which had SSLv3 enabled).
Using the same code above, I was able to enable or disable SSLv3 by also setting:
sslContextFactory.setExcludeProtocols("SSLv3");

So, my question is: How do I re-enable SSLv3?

------------------------------

Message: 2
Date: Wed, 08 Apr 2015 21:07:06 +0200
From: Lothar Kimmeringer <job@xxxxxxxxxxxxxx>
To: jetty-users@xxxxxxxxxxx
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID: <55257C5A.6040407@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=windows-1252

Am 08.04.2015 um 20:06 schrieb Grimm, Michael J (HPCS-R&D):

> *NOTE*: before upgrading to 9.2.10, I used *9.2.3* (which had SSLv3 enabled).
> Using the same code above, I was able to enable or disable SSLv3 by also setting:
> sslContextFactory.setExcludeProtocols(?SSLv3?);
>  
> So, my question is: How do I re-enable SSLv3?

Since SSLv3 is inherently insecure and shouldn't be used at all, you can switch back to Jetty 9.2.3 to get back that particular functionality for the test setup you are obviously talking about.
IOW: Why do you want to use SSLv3? It's insecure and not much better than using no SSL at all (making it at least obvious for the other side that the data communication is not secure).

Cheers, Lothar

------------------------------
Message: 3
Date: Thu, 9 Apr 2015 14:11:43 +0000
From: "Grimm, Michael J (HPCS-R&D)" <grimm@xxxxxx>
To: "jetty-users@xxxxxxxxxxx" <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
	<41551CEE2042A8479E4048BE0E3B7A85A2B44C1D@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
	
Content-Type: text/plain; charset="us-ascii"

Unfortunately, some of our customers have older devices that don't support the TLS protocols. Our plan was to ship our product with SSLv3 disabled - and allow customers to re-enable SSLv3 if they need to.
I hope I don't have to revert to 9.2.3 because (from what I've read) it's one of the more buggy releases.

Thanks
Mike
------------------------------

Message: 4
Date: Thu, 9 Apr 2015 16:42:48 +0200
From: Simone Bordet <sbordet@xxxxxxxxxxx>
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
	<CAFWmRJ1rFiM02eMaXiCqG+CeVcf7Fy72rP8itcwnfCu=wNQq7g@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8

Hi,

On Wed, Apr 8, 2015 at 8:06 PM, Grimm, Michael J (HPCS-R&D) <grimm@xxxxxx> wrote:
> So, my question is: How do I re-enable SSLv3?

Excluded protocols have precedence over included protocols.
Given discovered vulnerabilities of SSLv3, we have excluded it by default.

To force it back, you can do this:

SslContextFactory ssl = new SslContextFactory(); ssl.setExcludeProtocols("SSL", "SSLv2", "SSLv2Hello");

Now you should have SSLv3 enabled back, because it's not explicitly excluded.

--
Simone Bordet
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

End of jetty-users Digest, Vol 71, Issue 6
******************************************


Back to the top