My initial problem was that when I was using IncludeCipherSuites option in jetty configuration file, only TLS 1.2 was being supported. Please see below post for details: <a href="https://stackoverflow.com/questions/39540529/jetty-includeciphersuites-enables-only-tls-1-2" rel="nofollow">Jetty IncludeCipherSuites enables only TLS 1.2</a>
Based on the comments it appeared that if I don't provide ExcludeCipherSuites in my jetty configuration file, jetty default exclude cipher list is being used and many ciphers which I explicitly enabled by IncludeCipherSuites option were being excluded (if they are in jetty default exclude list).
Just adding an empty ExcludeCiphersSuites tag together with IncludeCipherSuites tag in the same configuration file solved the problem. By saying empty I mean I didn't add any ciphers to exclude, I just added ExcludeCiphersSuites tag with empty list of ciphers:<pre class="lang-xml prettyprint-override">
<Set name="ExcludeCipherSuites"> <Array type="String"> </Array> </Set>
My understanding is that previously (with only IncludeCipherSuites option) some of the the ciphers which I was including was being excluded by jetty default exclude list. However adding ExcludeCiphersSuites option with empty list forces to overwrite jetty's default exclude list with an empty list, so nothing is being excluded from my list of include ciphers. Can you please confirm that my understanding is correct?
Also based on all the above findings say jetty has the below default configuration for ciphers:
Jetty default exclude ciphers: CIPHER1, CIPHER2 Jetty default include ciphers: CIPHER3, CIPHER4
I want to configure my jetty to support CIPHER1 and CIPHER5 ONLY. Is the below the correct configuration I should use?<pre class="lang-xml prettyprint-override">
<Set name="ExcludeCipherSuites"> <Array type="String"> </Array> </Set> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>CIPHER1</Item> <Item>CIPHER2</Item> </Array> </Set>
Will this overwrite all jetty defaults and force jetty to support CIPHER1 and CIPHER2 and nothing else?Answer1:
Jetty does not disable the protocols TLS/1.0 or TLS/1.1.
The configuration of protocols, ciphers, keystores, truststores, etc is all controlled by the <a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html" rel="nofollow">
The SslContextFactory has the ability to disable protocols, using the Include/Exclude of Protocols using configurations like <a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html#addExcludeProtocols-java.lang.String...-" rel="nofollow">
Note that Jetty does not include TLS/1.0 or TLS/1.1 in its default exclusions.
As of <a href="https://github.com/eclipse/jetty.project/blob/jetty-9.3.13.v20161014/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L202" rel="nofollow">Jetty 9.3.13.v20161014 the default exclusion of protocols</a> is as follows:<pre class="lang-java prettyprint-override">
addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");
Since you seem to be asking specifically about Cipher Suites, know that the <a href="https://github.com/eclipse/jetty.project/blob/jetty-9.3.13.v20161014/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L203" rel="nofollow">Jetty 9.3.13.v20161014 default exclusions for Cipher suites</a> is as follows:<pre class="lang-java prettyprint-override">
This happens to be the same set of cipher suites that were declared vulnerable back in 2008, and will cease to be used on Chrome and Firefox clients on Jan 1, 2017. This kill switch for MD5/SHA/SHA1 is present in all versions of Chrome and Firefox released in the last few (5-ish?) years.
Note also that Java itself disables various protocols and cipher suite algorithms.<pre class="lang-sh prettyprint-override">
$ grep -E "^jdk.*disabled" $JAVA_HOME/jre/lib/security/java.security jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768