[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] TLSv1 and TLSv1.1 are disabled by Jetty 10?
|
I'm just a Jetty user, but if I were in charge, I would have disabled TLS 1 and 1.1 by default in the latest release because they are now officially insecure. Please see the SSL Labs announcement from 2018:
I spent a fair amount of time last quarter figuring out how to securely support IE11/Win7 without TLS 1 and 1.1. My notes are here:
Thank you, Jetty powers-that-be, for making what I consider to be a very appropriate and timely decision about disabling insecure protocols.
I got it. The TLSv1 and TLSv1.1 cipher suites are disabled by default.
The below configuration is working for me.
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<Set name="IncludeProtocols">
<Array type="String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
</Array>
</Set>
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS_RSA.*</Item>
<Item>TLS_DHE.*</Item>
<Item>TLS_ECDHE.*</Item>
<Item>TLS_AES.*</Item>
</Array>
</Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>TLS_ECDH_.*</Item>
</Array>
</Set>
</Configure>
I just added file <JETTY_BASE>/etc/tweak-ssl.xml to enable all the TLS versions, like the below,
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"
http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- Tweak SsslContextFactory Includes / Excludes -->
<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<Set name="IncludeProtocols">
<Array type="String">
<Item>TLSv1</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1.2</Item>
<Item>TLSv1.3</Item>
</Array>
</Set>
</Configure>
And also took <JETTY_BASE>/start.ini to have the below lines,
# ---------------------------------------
# Module: https
# Adds HTTPS protocol support to the TLS(SSL) Connector
# ---------------------------------------
--module=https
etc/tweak-ssl.xml
But my OpenSSL s_client still received fatal alert protocol_version.
After turned on the JSSE debug with JDK system property -Djavax.net.debug=all, I saw the below exception,
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 is not enabled or supported in server context
I suppose JDK (using 11.0.5) doesn't disable TLSv1.1.
Could any other Jetty configuration affect this point?
Hi,
I'm using Jetty 10.0.0 alpha1.
With my testing, it looks TLSv1 and TLSv1.1 are disabled in this version.
I used OpenSSL s_client to connect the Jetty server via TLS.
If specified TLSv1.2 or TLSv1.3, the handshaking finished successfully.
However, when TLSv1 or TLSv1.1 were specified, the handshaking failed.
But with the server dump, it looked the older TLS versions are enabled, as shown as the below,
| += SslConnectionFactory@4e50c791{SSL->alpn} - STARTED
| | += Server@2826f61[provider=null,keyStore=file:///path/to/etc/keystore,trustStore=file:///path/to/etc/keystore] - STARTED
| | +> trustAll=false
| | +> Protocol Selections
| | | +> Enabled size=4
| | | | +> TLSv1
| | | | +> TLSv1.1
| | | | +> TLSv1.2
| | | | +> TLSv1.3
| | | +> Disabled size=2
| | | +> SSLv2Hello - ConfigExcluded:'SSLv2Hello' JVM:disabled
| | | +> SSLv3 - ConfigExcluded:'SSLv3' JVM:disabled
What's something I missed?
I didn't meet this problem with Jetty 9.4.
Thanks!
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
--
Glen K. Peterson
(828) 393-0081
