[jetty-users] Website works but SSL Labs is reporting vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] Website works but SSL Labs is reporting vulnerabilities

From: Steve Sobol - Lobos Studios <steve@xxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2016 10:28:56 -0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0

Jetty 9.3.3.v20150827

I have two problems the Qualys SSL Test is reporting with one of myJetty-hosted websites and I'm not sure how to fix them.

Both are preventing this website from getting an "A" rating. I'm at a"B" now.

First: "This server supports weak Diffie-Hellman (DH) key exchangeparameters."There were a half-dozen weak ciphers I was able to disable. Only one isstill being reported active:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

But I am doing this:
<?xml version="1.0"?>

<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN""http://www.eclipse.org/jetty/configure_9_3.dtd";>


<!-- ============================================================= -->
<!-- SSL ContextFactory configuration                              -->
<!-- ============================================================= -->

<Configure id="sslContextFactory"class="org.eclipse.jetty.util.ssl.SslContextFactory"><Set name="KeyStorePath"><Property name="jetty.base" default="."/>/path/to/keystore.jks</Set>

  <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>

<Set name="TrustStorePath"><Property name="jetty.base" default="."/>/path/to/keystore.jks</Set>

  <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
  <Set name="NeedClientAuth">false</Set>
  <Set name="WantClientAuth">false</Set>
  <Set name="ExcludeCipherSuites">
  <Array type="String">
    <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
    <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
  </Array>
  </Set>

<Set name="useCipherSuitesOrder"><Propertyname="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>

</Configure>

I specifically exclude the cipher SSL Labs is complaining about.

The other problem: The SSL Labs test says that my certificate chain isincomplete. But I have the Comodo certificate for the website in theserver's keystore, and I have all three intermediate certificates in thetruststore.


Any ideas?

Thanks.




--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities
  - From: Joakim Erdfelt
- Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] Setting up basic server problem
Next by Date: Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities
Previous by thread: [jetty-users] NestedConnector in Jetty 9?
Next by thread: Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities
Index(es):
- Date
- Thread

Breadcrumbs