Re: [jetty-users] How to influence the "preferred cip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] How to influence the "preferred cip

From: Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 Oct 2015 13:26:26 +0200
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0

Hello Simone,

I tried the comparator approach but although the comparator was calledmultiple times (most likely as part of some sorting activity) I couldnot get the result I wanted.

I resorted to calling setIncludeCipherSuites with an explicit list ofciphers in the right order and that seemed to do the trick: I can stillhandle the old browsers using slightly weaker ciphers and at the sametime newer browsers (including Chromium) see the stronger ciphers.


For those interested: I used the following set (pardon the Scala syntax)

val ciphers = Array("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
            "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
            "TLS_RSA_WITH_AES_256_CBC_SHA256",
            "TLS_RSA_WITH_AES_256_CBC_SHA",
            "TLS_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_RSA_WITH_AES_128_CBC_SHA")

sslContextFactory.setIncludeCipherSuites(ciphers:_*)

Cheers,

Silvio


On 10/08/2015 06:48 PM, Simone Bordet wrote:

Hi,

On Tue, Oct 6, 2015 at 1:20 PM, Silvio Bierman
<sbierman@xxxxxxxxxxxxxxxxxx> wrote:

Hallo all,

I have an embedded Jetty 9.3 server instance and am trying to control the
ciphers it supports via a number of call to
SslContextFactory.addExcludeCipherSuites. I have found a combination of
excludes that leaves the set of ciphers I need. Among the remaining
supported ciphers I have TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.

When I use sslscan from the Linux command line it reports that the latter is
the "preferrred server cipher". When I connect to the server with Chromium
it also selects this cipher and reports "obsolete encryption". If I disable
this cipher Chrome selects the first one and does not complain about
obsolete encryption. But without the latter cipher there are too many
(older) browsers that can not establish an SSL connection.

How can I influence what clients conceive as being a preference for specific
ciphers over other ones?

Tricky, if at all possible.

The TLS negotiation happens way before any server-side application can
know what kind of client is connecting (e.g. via User-Agent string).

Typically ordering by strength descending does the job, since older
clients will not negotiate the stronger ones.

SslContextFactory can be fed with a comparator that is used to sort the ciphers.

Follow-Ups:
- Re: [jetty-users] How to influence the "preferred cip
  - From: Marvin Addison

References:
- [jetty-users] How to influence the "preferred cip
  - From: Silvio Bierman
- Re: [jetty-users] How to influence the "preferred cip
  - From: Simone Bordet

Prev by Date: Re: [jetty-users] Continuation Frame
Next by Date: Re: [jetty-users] How to influence the "preferred cip
Previous by thread: Re: [jetty-users] How to influence the "preferred cip
Next by thread: Re: [jetty-users] How to influence the "preferred cip
Index(es):
- Date
- Thread

Breadcrumbs