41260

Overwriting jetty default ciphers

Question:

My initial problem was that when I was using IncludeCipherSuites option in jetty configuration file, only TLS 1.2 was being supported. Please see below post for details: <a href="https://stackoverflow.com/questions/39540529/jetty-includeciphersuites-enables-only-tls-1-2" rel="nofollow">Jetty IncludeCipherSuites enables only TLS 1.2</a>

Based on the comments it appeared that if I don't provide ExcludeCipherSuites in my jetty configuration file, jetty default exclude cipher list is being used and many ciphers which I explicitly enabled by IncludeCipherSuites option were being excluded (if they are in jetty default exclude list).

Just adding an empty ExcludeCiphersSuites tag together with IncludeCipherSuites tag in the same configuration file solved the problem. By saying empty I mean I didn't add any ciphers to exclude, I just added ExcludeCiphersSuites tag with empty list of ciphers:

<pre class="lang-xml prettyprint-override"><Set name="ExcludeCipherSuites"> <Array type="String"> </Array> </Set>

My understanding is that previously (with only IncludeCipherSuites option) some of the the ciphers which I was including was being excluded by jetty default exclude list. However adding ExcludeCiphersSuites option with empty list forces to overwrite jetty's default exclude list with an empty list, so nothing is being excluded from my list of include ciphers. Can you please confirm that my understanding is correct?

Also based on all the above findings say jetty has the below default configuration for ciphers:

Jetty default exclude ciphers: CIPHER1, CIPHER2 Jetty default include ciphers: CIPHER3, CIPHER4

I want to configure my jetty to support CIPHER1 and CIPHER5 ONLY. Is the below the correct configuration I should use?

<pre class="lang-xml prettyprint-override"><Set name="ExcludeCipherSuites"> <Array type="String"> </Array> </Set> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>CIPHER1</Item> <Item>CIPHER2</Item> </Array> </Set>

Will this overwrite all jetty defaults and force jetty to support CIPHER1 and CIPHER2 and nothing else?

Answer1:

Jetty does not disable the protocols TLS/1.0 or TLS/1.1.

The configuration of protocols, ciphers, keystores, truststores, etc is all controlled by the <a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html" rel="nofollow">SslContextFactory</a>

The SslContextFactory has the ability to disable protocols, using the Include/Exclude of Protocols using configurations like <a href="http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/ssl/SslContextFactory.html#addExcludeProtocols-java.lang.String...-" rel="nofollow">addExcludeProtocols()</a>

Note that Jetty does not include TLS/1.0 or TLS/1.1 in its default exclusions.

As of <a href="https://github.com/eclipse/jetty.project/blob/jetty-9.3.13.v20161014/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L202" rel="nofollow">Jetty 9.3.13.v20161014 the default exclusion of protocols</a> is as follows:

<pre class="lang-java prettyprint-override">addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");

Since you seem to be asking specifically about Cipher Suites, know that the <a href="https://github.com/eclipse/jetty.project/blob/jetty-9.3.13.v20161014/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L203" rel="nofollow">Jetty 9.3.13.v20161014 default exclusions for Cipher suites</a> is as follows:

<pre class="lang-java prettyprint-override">setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");

This happens to be the same set of cipher suites that were declared vulnerable back in 2008, and will cease to be used on Chrome and Firefox clients on Jan 1, 2017. This kill switch for MD5/SHA/SHA1 is present in all versions of Chrome and Firefox released in the last few (5-ish?) years.

Note also that Java itself disables various protocols and cipher suite algorithms.

<pre class="lang-sh prettyprint-override">$ grep -E "^jdk.*disabled" $JAVA_HOME/jre/lib/security/java.security jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Recommend

  • What is the difference between CacheStoreMode USE and REFRESH
  • Force iPad app to launch in portrait when landscape is supported
  • Nginx rewrite equivalent to Apache RewriteRule that converts URL params into QueryString key/value p
  • Can't connect Entity Framework to local SQL Server Express
  • How to extract a number from a string [duplicate]
  • WooCommerce hook after order is updated?
  • Return to second to last URL in MVC (return View with previous filter conditions applied)?
  • Problem in concatenation of objects in javascript
  • How to synchronize jQuery dialog box to act like alert() of Javascript
  • Suppressing passwd when calling sqlplus from shell script
  • Angular2 component view does not update on value change via method
  • Web.config system.webserver errors
  • Silverlight DependencyProperty.SetCurrentValue Equivalent
  • Alternative To body {overflow:scroll;} That Will Prevent Page Jostling/Wriggling?
  • How to use carriage return with multiple line?
  • Use of this Javascript
  • jQuery .attr() and value
  • C++ Partial template specialization - design simplification
  • Azure Cloud Service Web Role web pages do not load
  • How can I use Kendo UI with Razor?
  • Why is the timeout on a windows udp receive socket always 500ms longer than set by SO_RCVTIMEO?
  • How to get next/previous record number?
  • Function pointer “assignment from incompatible pointer type” only when using vararg ellipsis
  • 0x202A in filename: Why?
  • How do I rollback to a specific git commit
  • Python: how to group similar lists together in a list of lists?
  • Revoking OAuth Access Token Results in 404 Not Found
  • Buffer size for converting unsigned long to string
  • Error creating VM instance in Google Compute Engine
  • How to set the response of a form post action to a iframe source?
  • Hits per day in Google Big Query
  • Change div Background jquery
  • File not found error Google Drive API
  • Qt: Run a script BEFORE make
  • How to get Windows thread pool to call class member function?
  • reshape alternating columns in less time and using less memory
  • Observable and ngFor in Angular 2
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?