Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities

Oddly enough, SSLContextFactory doesn't have an addIncludeCipherSuites() method. I'm going to revert to 9.3.3 for now, until one of us comes up with an answer. Mine, if I was creating the server instance programmatically, would be to get the list of included ciphers, add those two, and call setIncludeCipherSuites(), but I'm not sure how to translate that to an XML config.


On 4/21/2016 4:55 PM, Joakim Erdfelt wrote:
These 2 should not have been excluded by Jetty, and should be the ones in common for IE 8-10

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy256

Those are listed as a supported cipher suite for Java 7 and Java 8


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Apr 21, 2016 at 4:15 PM, Greg Wilkins <gregw@xxxxxxxxxxx> wrote:
Steve,

running stock jetty-9.3 in latest java8 gives me the following
protocols and ciphers:

[TLSv1, TLSv1.1, TLSv1.2]
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV


Following the link on ssllabs shows that IE 8-10 will only speak
SSL3.0 or TLS1.0.... so TLS1.0 it will have to be.  It has the
following ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256
TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy2128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy2256
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   Forward Secrecy2112
TLS_RSA_WITH_RC4_128_MD5 (0x4)   WEAK


So there are indeed no ciphers in common!

You would think that TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256  should be
acceptable to the server as it does accept
TLS_RSA_WITH_AES_128_CBC_SHA256 ?

Let me investigate why that is not being offered....






On 22 April 2016 at 07:47, Steve Sobol - Lobos Studios
<steve@xxxxxxxxxxxxxxxx> wrote:
> Ok. This is not cool. After the upgrade to 9.3.8 and a modification of my
> SSLContextFactory
>
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>
> <!-- ============================================================= -->
> <!-- SSL ContextFactory configuration                              -->
> <!-- ============================================================= -->
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>   <Set name="KeyStorePath"><Property name="jetty.base" default="."
> />/keystores/www6-production-keystore.jks</Set>
>   <Set
> name="KeyStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
>   <Set name="TrustStorePath"><Property name="jetty.base" default="."
> />/keystores/truststore.jks</Set>
>   <Set
> name="TrustStorePassword">OBF:1m0j1zt11xtv1v9s1wfw1n4j1n6z1wg21v8u1xtn1zsp1lxn</Set>
>   <Set name="NeedClientAuth">false</Set>
>   <Set name="WantClientAuth">false</Set>
>   <Call name="addExcludeCipherSuites">
>     <Arg>
>       <Array type="String">
>         <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 </Item>
>         <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
>       </Array>
>     </Arg>
>   </Call>
>   <Set name="useCipherSuitesOrder"><Property
> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
> </Configure>
>
> the weak cipher warnings are all gone, but the server only speaks TLS 1.2
> now, and a the test's simulated IE 10 connection is failing. I'm OK not
> supporting Android browsers prior to 4.4; they're old. I'm fine not
> supporting IE 6, 7, 8 and Safari browsers that are three versions older than
> the current version (those tests all failed). But I need to support IE 9, 10
> and 11.
>
> https://www.ssllabs.com/ssltest/analyze.html?d=admin.bamidbarconnect.com
>
> Also, does ANYONE know how to fix the allegedly broken certificate chain?
>
> Thanks
>
>
>
> On 4/21/2016 12:59 PM, Steve Sobol - Lobos Studios wrote:
>
> So in the future, if I need to update the list and am not able to
> immediately upgrade Jetty for whatever reason, I'm thinking I should use
>
> addExcludeCipherSuites()
>
> instead, yes?
>
>
> On 4/21/2016 12:57 PM, Joakim Erdfelt wrote:
>
> When you used <Set name="ExcludeCipherSuites">
>
> You undid the existing exclusions in Jetty 9.3.3
>
> https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259
>
>     public SslContextFactory(boolean trustAll)
>     {
>         setTrustAll(trustAll);
>         addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
>         setExcludeCipherSuites(
>                 "SSL_RSA_WITH_DES_CBC_SHA",
>                 "SSL_DHE_RSA_WITH_DES_CBC_SHA",
>                 "SSL_DHE_DSS_WITH_DES_CBC_SHA",
>                 "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
>                 "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
>                 "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
>                 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
>    }
>
> If you use Jetty 9.3.8, you'll find the exclusion list is more strict ...
>
> https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255
>
>     public SslContextFactory(boolean trustAll)
>     {
>         setTrustAll(trustAll);
>         addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
>         setExcludeCipherSuites(
>                 "^.*_RSA_.*_(MD5|SHA|SHA1)$",
>                 "SSL_DHE_DSS_WITH_DES_CBC_SHA",
>                 "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
>     }
>
>
> Joakim Erdfelt / joakim@xxxxxxxxxxx
>
> On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios
> <steve@xxxxxxxxxxxxxxxx> wrote:
>>
>> Jetty 9.3.3.v20150827
>>
>> I have two problems the Qualys SSL Test is reporting with one of my
>> Jetty-hosted websites and I'm not sure how to fix them.
>>
>> Both are preventing this website from getting an "A" rating. I'm at a "B"
>> now.
>>
>> First: "This server supports weak Diffie-Hellman (DH) key exchange
>> parameters."
>> There were a half-dozen weak ciphers I was able to disable. Only one is
>> still being reported active:
>> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>>
>> But I am doing this:
>> <?xml version="1.0"?>
>> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
>> "http://www.eclipse.org/jetty/configure_9_3.dtd">
>>
>> <!-- ============================================================= -->
>> <!-- SSL ContextFactory configuration                              -->
>> <!-- ============================================================= -->
>> <Configure id="sslContextFactory"
>> class="org.eclipse.jetty.util.ssl.SslContextFactory">
>>   <Set name="KeyStorePath"><Property name="jetty.base" default="."
>> />/path/to/keystore.jks</Set>
>>   <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
>>   <Set name="TrustStorePath"><Property name="jetty.base" default="."
>> />/path/to/keystore.jks</Set>
>>   <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
>>   <Set name="NeedClientAuth">false</Set>
>>   <Set name="WantClientAuth">false</Set>
>>   <Set name="ExcludeCipherSuites">
>>   <Array type="String">
>>     <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
>>     <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
>>     <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
>>     <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
>>     <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>>     <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
>>     <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
>>     <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
>>     <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
>>     <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
>>     <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
>>   </Array>
>>   </Set>
>>   <Set name="useCipherSuitesOrder"><Property
>> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
>> </Configure>
>>
>> I specifically exclude the cipher SSL Labs is complaining about.
>>
>> The other problem: The SSL Labs test says that my certificate chain is
>> incomplete. But I have the Comodo certificate for the website in the
>> server's keystore, and I have all three intermediate certificates in the
>> truststore.
>>
>> Any ideas?
>>
>> Thanks.
>>
>>
>>
>>
>> --
>> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
>> Facebook.com/LobosStudios | @LobosStudios
>> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
>> Sales & Service
>> Acer Authorized Reseller - Computers, Windows and Android Tablets,
>> Accessories
>>
>> Steve Sobol - CEO, Senior Developer and Server Jockey
>> steve@xxxxxxxxxxxxxxxx
>>
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe
>> from this list, visit
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> steve@xxxxxxxxxxxxxxxx
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> steve@xxxxxxxxxxxxxxxx
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users



--
Greg Wilkins <gregw@xxxxxxxxxxx> CTO http://webtide.com
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

-- 
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
steve@xxxxxxxxxxxxxxxx

Back to the top