[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[jetty-users] Enable SSLv3 in 9.2.10.v20150310
|
Hi,
i hope you have really good reasons to enable SSLv3 the protocol is broken,
this is the reason that it is disabled in new JRE Version.
1) RC4 is broken and obsoleted by an RFC
2) CBC if also broken
3) GCM is not available in SSLv3 and SSLv3 does not have padding
constraints.
So SSLv3 should only enable for protocol testing but NEVER for securing
data.
Gruß Thomas
----------------------------------------------------------------------
Message: 1
Date: Thu, 9 Apr 2015 16:19:25 +0000
From: "Grimm, Michael J (HPCS-R&D)" <grimm@xxxxxx>
To: "jetty-users@xxxxxxxxxxx" <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
<41551CEE2042A8479E4048BE0E3B7A85A2B44CD9@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"
FYI.
I found the problem was NOT with Jetty, but rather with the new JRE I'm using.
In Java1.8_u31, SSLv3 is disabled.
You can see this in:
jre/lib/security/java.security - jdk.tls.disabledAlgorithms=SSLv3
When I deleted that property and restarted my application, Jetty was able to use SSLv3.
