Re: [jetty-users] how to properly deployDiffie-Hellman on my server

[Meggyesi, Zalán <zmeggyesi@xxxxxxxx>]

Hi,

To piggyback onto what Joakim says, I would really recommend using a separate TLS termination point. It's much easier to maintain and patch as various vulnerabilities in the protocol are made public and fixed.

And as he says, stay updated. Both the server OS and any packages/programs listening on public-facing ports.

Best,

Zalan Meggyesi

Chief Support Engineer

Skawa Innovation Kft.

Phone: 0036704627005

Mobile: +36205146666

On Mon, Sep 23, 2019 at 2:28 PM Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:

When it comes to running a server with TLS/SSL on the public internet, there is one fundamental truth.

You have to stay up to date.

Your use of Java 1.7 means you practically have no solution left for you.

Why?

You are doing the right thing by excluding the vulnerable protocols: SSL, SSLv2, SSLv3, TLSv1, and TLSv1.1

That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was reserved for clients, not servers.

Can you enable TLSv1.2 on Java 1.7 for servers?  

In some versions of Java 1.7 you can, but that support is very preliminary and has many known issues.

If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider putting a more up to date SSL offloader in front of your application.

Some product like haproxy, nginx, etc...  and keep that product up to date!

Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 support you are needing.

If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have most of the TLSv1.3 support issues fixed)

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <rjc2009@xxxxxxxxx> wrote:

Hi,

Please guide on how to properly deploy Diffie-Hellman on my server. I am using Jetty 9.2.9 with jdk1.7.

 

This is my current configuration in jetty-ssl.xml but SSL scan report shows that “This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)”

 

<Set name="ExcludeCipherSuites">

    <Array type="String">

      <Item>.*NULL.*</Item>

      <Item>.*RC4.*</Item>

      <Item>.*MD5.*</Item>

      <Item>.*DES.*</Item>

      <Item>.*DSS.*</Item>

    </Array>

  </Set>

 <!-- Enable Forward Secrecy Ciphers.       Note: this replaces the default Include Cipher list -->

  <Set name="IncludeCipherSuites">

    <Array type="String">

      <Item>TLS_DHE_RSA.*</Item>

      <Item>TLS_ECDHE.*</Item>

    </Array>

  </Set>

<!-- Eliminate Insecure Protocols -->

  <Call name="addExcludeProtocols">

    <Arg>

     <Array type="java.lang.String">

       <Item>SSL</Item>

       <Item>SSLv2</Item>

       <Item>SSLv2Hello</Item>

       <Item>SSLv3</Item>

       <Item>TLSv1</Item>

       <Item>TLSv1.1</Item>

     </Array>

    </Arg>

  </Call>

 

Regards

Rjc

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users