Re: [jetty-users] How to influence the "preferred cip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] How to influence the "preferred cip

From: Marvin Addison <marvin.addison@xxxxxxxxx>
Date: Mon, 12 Oct 2015 14:56:08 +0000
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

I resorted to calling setIncludeCipherSuites with an explicit list of
ciphers in the right order and that seemed to do the trick: I can still
handle the old browsers using slightly weaker ciphers and at the same
time newer browsers (including Chromium) see the stronger ciphers.

I would recommend setting useCipherSuitesOrder=true on your SSLContextFactory. That's really the only way to force compliant clients to use the ciphers in the order you provided them in the ServerHello message. Most SSL scanning tools will ding you without that flag since otherwise the client is free to choose _any_ of ciphers you offer.

Marvin

Follow-Ups:
- Re: [jetty-users] How to influence the "preferred cip
  - From: Silvio Bierman

References:
- [jetty-users] How to influence the "preferred cip
  - From: Silvio Bierman
- Re: [jetty-users] How to influence the "preferred cip
  - From: Simone Bordet
- Re: [jetty-users] How to influence the "preferred cip
  - From: Silvio Bierman

Prev by Date: Re: [jetty-users] How to influence the "preferred cip
Next by Date: Re: [jetty-users] How to influence the "preferred cip
Previous by thread: Re: [jetty-users] How to influence the "preferred cip
Next by thread: Re: [jetty-users] How to influence the "preferred cip
Index(es):
- Date
- Thread

Breadcrumbs