Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] keystore

Also, with the IBM JVM you might have to configure the following on the Jetty side ...

SslContextFactory ...

.setProtocol(String protocol) - this defaults to "TLS" (the openjdk official name), yours is likely different (based on my reading of the IBM JVM documentation).
.setProvider(String provider) - this defaults to "" (unset) as we use the default provider, but your IBM JVM seems to want to do things "the IBM way", not "the standard way".

As a last resort, you might need to create the javax.net.ssl.SSLContext manually, the IBM way, and give it to the jetty side SslContextFactory.setSslContext(SSLContext context)


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 12:04 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
Also, read and understand the linked to issue at the IBM side for TLS (from the prior message)


The IBM JVM does not apparently follow the OpenJDK standard naming of things (which dozens of other alternate JVMs do), that article tells you how to correct the startup of your IBM JVM to address that as well.



Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 11:53 AM, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Those are ciphers for the SSL protocol instead of TLS. You do not want to use those...



Sent from my Samsung Galaxy smartphone.

-------- Original message --------
From: Lothar Kimmeringer <job@xxxxxxxxxxxxxx>
Date: 3/14/18 17:36 (GMT+01:00)
Subject: Re: [jetty-users] keystore

Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

> * The IBM JVM is not sane, look into its cipher suites and protocols.
>
> A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
  TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
  SSL_RSA_WITH_AES_256_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_RSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_RSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
  SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_RSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
  SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
  SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
  SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
  SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
  SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
  SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_RSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
  SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
  SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



Back to the top