Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] How to influence the "preferred cip

Hi,

On Tue, Oct 6, 2015 at 1:20 PM, Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:
> Hallo all,
>
> I have an embedded Jetty 9.3 server instance and am trying to control the
> ciphers it supports via a number of call to
> SslContextFactory.addExcludeCipherSuites. I have found a combination of
> excludes that leaves the set of ciphers I need. Among the remaining
> supported ciphers I have TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.
>
> When I use sslscan from the Linux command line it reports that the latter is
> the "preferrred server cipher". When I connect to the server with Chromium
> it also selects this cipher and reports "obsolete encryption". If I disable
> this cipher Chrome selects the first one and does not complain about
> obsolete encryption. But without the latter cipher there are too many
> (older) browsers that can not establish an SSL connection.
>
> How can I influence what clients conceive as being a preference for specific
> ciphers over other ones?

Tricky, if at all possible.

The TLS negotiation happens way before any server-side application can
know what kind of client is connecting (e.g. via User-Agent string).

Typically ordering by strength descending does the job, since older
clients will not negotiate the stronger ones.

SslContextFactory can be fed with a comparator that is used to sort the ciphers.

-- 
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.


Back to the top