Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improvements to the Jetty documentation. 

Added section ids to TLS documentation.

Signed-off-by: Simone Bordet <simone.bordet@gmail.com>
This commit is contained in:
Simone Bordet 2020-10-05 18:17:24 +02:00
parent 7e75215cfc
commit 9c0f61d31b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
jetty-documentation/src/main/asciidoc/operations-guide/protocols/protocols-ssl.adoc
View File

@ -34,6 +34,7 @@ If you enable _both_ the `https` and the `http2` module, you will have a single
TIP: Recall from the xref:og-modules[section about modules], that only modules that are explicitly enabled get their module configuration file (`+*.ini+`) saved in `$JETTY_BASE/start.d/`, and you want `$JETTY_BASE/start.d/ssl.ini` to be present so that you can configure the connector properties, the KeyStore properties and the TLS properties.
[[og-protocols-ssl-customize]]
===== Customizing KeyStore and TLS Configuration
Secure protocols have a slightly more complicated configuration since they require to configure a _KeyStore_.
@ -77,6 +78,7 @@ Refer to the link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html[SslC
CAUTION: Use module properties whenever possible, and only resort to use a Jetty XML file for advanced configuration that you cannot do using module properties.
[[og-protocols-ssl-customize-versions]]
====== Customizing TLS Protocol Versions
By default, the SSL protocols (SSL, SSLv2, SSLv3, etc.) are already excluded because they are vulnerable.
@ -102,6 +104,7 @@ To explicitly add the exclusion of TLSv1.0 and TLSv1.1 (that are also vulnerable
</Configure>
----
[[og-protocols-ssl-customize-ciphers]]
====== Customizing TLS Ciphers
You can precisely set the list of excluded ciphers, completely overriding Jetty's default, with this XML:
@ -161,6 +164,7 @@ $ java -jar $JETTY_HOME/start.jar --add-module=ssl-reload
For more information about the configuration of the `ssl-reload` Jetty module, see xref:og-module-ssl-reload[this section].
[[og-protocols-ssl-conscrypt]]
===== Using Conscrypt as TLS Provider
By default, the standard TLS provider that comes with the JDK is used.
@ -177,6 +181,7 @@ To use Conscrypt as the TLS provider just enable the `conscrypt` Jetty module:
$ java -jar $JETTY_HOME/start.jar --add-module=conscrypt
----
[[og-protocols-ssl-sni]]
===== Configuring SNI
Server Name Indication (SNI) is a TLS extension that clients send to indicate what domain they want to connect to during the initial TLS handshake.