Configuring SSL cipher suites for Jetty

2019-07-29 04:04发布

I am trying to set the allowed ssl cipher suites for the embedded jetty server in my application. If I only use IncludeCipherSuites setting for SslContextFactory in the xml file setting for some reason when I run sslscan it only lists the ciphers for TLSv1.2 and not TLSv1.1 or TLSv1.0. I need to be able to have jetty use all three TLS versions. Is there anyway I can set the IncludeCipherSuites for Jetty so that I can set the list correctly.

标签： ssl encryption Jetty

1条回答

forever°为你锁心

2楼-- · 2019-07-29 04:59

Jetty 9.3.8 disables the SLOTH vulnerable ciphers that prevent proper encryption with the latest versions of Chrome (if you re-enable the SLOTH vulnerable ciphers you'll see a broken padlock icon in Chrome).

You'll want to setup a ${jetty.base}/etc/tweak-ssl.xml and appropriate entry in your ${jetty.base}/start.ini

Note: you should be using a split ${jetty.home} and ${jetty.base} directory structure and not modifying the ${jetty.home} contents

Documented here: https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites

As for what configuration to use, that's up to you decide.

Know that excludes win over includes. If the cipher suite is excluded, no addition of it in the includes list will enable it.

Also be aware, that the JVM itself is also disabling various old protocols and cipher suites, following the same guidelines and updated specs that Jetty is with regards to security. In the near future you'll have to also re-enable those ciphers and protocols at the JVM level.

0人赞添加讨论(0) 举报

Configuring SSL cipher suites for Jetty

采纳回答

编辑标签

举报内容

检举类型

检举原因

检举说明(必填)

打开微信“扫一扫”，打开网页后点击屏幕右上角分享按钮

付费偷看金额在0.1-10元之间