Merge remote-tracking branch 'origin/jetty-9.3.x' into jetty-9.4.x

# Conflicts: # jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc
2017-07-14 12:07:51 -04:00 · 2017-07-14 12:07:51 -04:00 · c0d87fd0c2
parent 28cfb3f495 629e41526e
commit c0d87fd0c2
1 changed files with 103 additions and 182 deletions
--- a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc
+++ b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc
@ -19,6 +19,16 @@

 This document provides an overview of how to configure SSL and TLS for Jetty.

+[[configuring-jetty-for-ssl]]
+===== Configuring Jetty for SSL
+
+To configure Jetty for SSL, complete the tasks in the following sections:
+
+* xref:generating-key-pairs-and-certificates[]
+* xref:requesting-trusted-certificate[]
+* xref:loading-keys-and-certificates[]
+* xref:configuring-sslcontextfactory[]
+
 [[tls-and-ssl-versions]]
 ==== TLS and SSL versions

@ -78,16 +88,6 @@ Since Apache and other servers commonly use the OpenSSL tool suite to generate a

 If you want the option of using the same certificate with Jetty or a web server such as Apache not written in Java, you might prefer to generate your private key and certificate with OpenSSL.

-[[configuring-jetty-for-ssl]]
-===== Configuring Jetty for SSL
-
-To configure Jetty for SSL, complete the tasks in the following sections:
-
-* xref:generating-key-pairs-and-certificates[]
-* xref:requesting-trusted-certificate[]
-* xref:loading-keys-and-certificates[]
-* xref:configuring-sslcontextfactory[]
-
 [[generating-key-pairs-and-certificates]]
 ===== Generating Key Pairs and Certificates

@ -354,75 +354,16 @@ $ keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destke
 If you are updating your configuration to use a newer certificate, as when the old one is expiring, just load the newer certificate as described in the section, xref:loading-keys-and-certificates[].
 If you imported the key and certificate originally using the PKCS12 method, use an alias of "1" rather than "jetty", because that is the alias the PKCS12 process enters into the keystore.

-==== Configuring SSL in Jetty Distribution
-
-For those of you using the Jetty Distribution, enabling SSL support is as easy as activating the `ssl` module.
-
-An example of this setup:
-
-[source, plain, subs="{sub-order}"]
----
-$ cd /path/to/mybase
-$ java -jar ../start.jar --create-startd
-MKDIR : ${jetty.base}/start.d
-INFO  : Base directory was modified
-$ java -jar /path/to/jetty-dist/start.jar --add-to-start=ssl
-INFO  : server          transitively enabled, ini template available with --add-to-start=server
-INFO  : ssl             initialized in ${jetty.base}/start.d/ssl.ini
-MKDIR : ${jetty.base}/etc
-COPY  : ${jetty.home}/modules/ssl/keystore to ${jetty.base}/etc/keystore
-INFO  : Base directory was modified
-$ tree
-.
-├── etc
-│   └── keystore
-└── start.d
-    ├── server.ini
-    └── ssl.ini
----
-
-When you open `start.d/ssl.ini`, you will see many commented properties ready for you to configure the `SslContextFactory` basics.
-
-To highlight some of the more commonly used properties:
-
-jetty.ssl.host::
-  Configures which interfaces the SSL/TLS Connector should listen on.
-jetty.ssl.port::
-  Configures which port the SSL/TLS Connector should listen on.
-jetty.httpConfig.securePort::
-  If a webapp needs to redirect to a secure version of the same resource, then this is the port reported back on the response `location` line (having this be separate is useful if you have something sitting in front of Jetty, such as a Load Balancer or proxy).
-jetty.sslContext.keyStorePath::
-  Sets the location of the `keystore` that you configured with your certificates.
-jetty.sslContext.keyStorePassword::
-  Sets the Password for the `keystore`.
-
-[[two-way-authentication]]
-==== Two Way Authentication
-
-To enable two-way authentication both the `ssl` and `https` modules need to be activated.
-Once enabled, set the `jetty.sslContext.needClientAuth` property to `true`.
-
-[source%nowrap,ini,linenums]
-.$JETTY_BASE/start.d/ssl.ini
----
-# Module: ssl
--module=ssl
-...
-## whether client certificate authentication is required
-jetty.sslContext.needClientAuth=true
-...
----
-
 [[layout-of-keystore-and-truststore]]
-==== Layout of keystore and truststore
+===== Layout of keystore and truststore

-The server's private key and certificate are contained within the keystore.
+The `keystore` only contains the server's private key and certificate.

 [[img-certificate-chain]]
 image::images/certificate-chain.png[title="Certificate chain", alt="Certificate chain"]

 [literal]
-.The structure of a KeyStore file
+.The structure of KeyStore file:
 ....
 ├── PrivateKeyEntry
 │   ├── PrivateKey
@ -436,10 +377,10 @@ image::images/certificate-chain.png[title="Certificate chain", alt="Certificate
    └── Root CA certificate
 ....

-[TIP]
-====
-`PrivateKeyEntry`, `Certificate chain`, `Intermediary CA certificate` and `Root CA certificate` are all optional values.
-====
+____
+[NOTE]
+Both the `Intermediary CA certificate` and `Root CA certificate` are optional.
+____

 [source%nowrap,plain,linenums]
 ----
@ -696,10 +637,9 @@ KeyIdentifier [
 *******************************************
 ----

-Additionally, you can split `$JETTY/etc/keystore` into two files.
-One being `$JETTY/etc/keystore` which only contains the server’s private key and certificate, while the other would be `$JETTY/etc/truststore` which contains intermediary CA and root CA.
-
-An example of this would look like the following:
+In addition, you can split `$JETTY/etc/keystore` as two files.
+One is `$JETTY/etc/keystore` which only contains the server’s private key and certificate,
+the other is `$JETTY/etc/truststore` which contains intermediary CA and root CA.

 [literal]
 .The structure of `$JETTY/etc/keystore`
@ -747,7 +687,7 @@ setKeyStorePath::
  The configured keystore to use for all SSL/TLS in configured Jetty Connector (or Client).
 ____
 [NOTE]
-As the keystore is vital security information, it recommended the file is located in a directory with *very* restricted access.
+As a keystore is vital security information, it can be desirable to locate the file in a directory with *very* restricted access.
 ____

 setKeyStorePassword::
@ -772,21 +712,96 @@ ____

 ____
 [CAUTION]
-The keystore and truststore passwords may also be set using the system properties: `org.eclipse.jetty.ssl.keypassword` and `org.eclipse.jetty.ssl.password`.
+The keystore and truststore passwords may also be set using the system properties: `org.eclipse.jetty.ssl.keypassword` `org.eclipse.jetty.ssl.password`.
 This is _not_ a recommended usage.
 ____

 ==== Configuring SNI

 From Java 8, the JVM contains support for the http://en.wikipedia.org/wiki/Server_Name_Indication[Server Name Indicator (SNI)] extension, which allows a SSL connection handshake to indicate one or more DNS names that it applies to.
-To support this, the `ExtendedSslContextFactory` is used that will look for multiple X509 certificates within the keystore, each of which may have multiple DNS names (including wildcards) associated with the http://en.wikipedia.org/wiki/SubjectAltName[Subject Alternate Name] extension.
-When using the `ExtendedSSlContextFactory`, the correct certificate is automatically selected if the SNI extension is present in the handshake.
+
+To support this, the `SslContextFactory` is used.
+The `SslContextFactory` will look for multiple X509 certificates within the keystore, each of which may have multiple DNS names (including wildcards) associated with the http://en.wikipedia.org/wiki/SubjectAltName[Subject Alternate Name] extension.
+When using the `SslContextFactory`, the correct certificate is automatically selected if the SNI extension is present in the handshake.
+
+
+==== Configuring SSL in Jetty Distribution
+
+For those of you using the Jetty Distribution, enabling SSL support is as easy as activating the `ssl` module.
+
+An example of this setup:
+
+[source, plain, subs="{sub-order}"]
+----
+$ cd /path/to/mybase
+$ java -jar /path/to/jetty-dist/start.jar --add-to-startd=ssl
+INFO : server          initialised (transitively) in ${jetty.base}/start.d/server.ini
+INFO : ssl             initialised in ${jetty.base}/start.d/ssl.ini
+INFO : Base directory was modified
+$ tree
+.
+├── etc
+│   └── keystore
+└── start.d
+    ├── server.ini
+    └── ssl.ini
+----
+
+When you open `start.d/ssl.ini`, you will see several commented properties ready for use when configuring `SslContextFactory` basics.
+
+To highlight some of the more commonly used properties:
+
+jetty.ssl.host::
+  Configures which interfaces the SSL/TLS Connector should listen on.
+jetty.ssl.port::
+  Configures which port the SSL/TLS Connector should listen on.
+jetty.httpConfig.securePort::
+  If a webapp needs to redirect to a secure version of the same resource, then this is the port reported back on the response `location` line (having this be separate is useful if you have something sitting in front of Jetty, such as a Load Balancer or proxy).
+jetty.sslContext.keyStorePath::
+  Sets the location of the `keystore` that you configured with your certificates.
+jetty.sslContext.keyStorePassword::
+  Sets the Password for the `keystore`.
+
+[[two-way-authentication]]
+==== Two Way Authentication
+
+To enable two-way authentication in the Jetty Distribution, you need to enable the both the `ssl` and `https` modules.
+
+[source, plain, subs="{sub-order}"]
+----
+$ cd /path/to/mybase
+$ java -jar /path/to/jetty-dist/start.jar --add-to-startd=ssl,https
+----
+
+[source%nowrap,ini,linenums]
+.$JETTY_BASE/start.d/ssl.ini
+----
+# Module: ssl
+--module=ssl
+
+jetty.ssl.host=0.0.0.0
+jetty.ssl.port=8583
+jetty.sslContext.keyStorePath=etc/keystore
+jetty.sslContext.trustStorePath=etc/keystore
+jetty.sslContext.keyStorePassword=OBF:
+jetty.sslContext.keyManagerPassword=OBF:
+jetty.sslContext.trustStorePassword=OBF:
+jetty.sslContext.trustStoreType=JKS
+# enable two way authentication
+jetty.sslContext.needClientAuth=true
+----
+
+[source%nowrap,ini,linenums]
+.$JETTY_BASE/start.d/https.ini
+----
+# Module: https
+--module=https
+----

 [[configuring-sslcontextfactory-cipherSuites]]
 ==== Disabling/Enabling Specific Cipher Suites

-To avoid specific attacks it is often necessary to configure a specific set of cipher suites to include or exclude.
-This can either be done via link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html#setIncludeCipherSuites(java.lang.String...)[SslContext.setIncludeCipherSuites(java.lang.String...)] or vialink:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html#setExcludeCipherSuites(java.lang.String...)[SslContext.setExcludeCipherSuites(java.lang.String...)].
+As an example, to avoid the BEAST attack it is necessary to configure a specific set of cipher suites. This can either be done via link:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html#setIncludeCipherSuites(java.lang.String...)[SslContext.setIncludeCipherSuites(java.lang.String...)] or vialink:{JDURL}/org/eclipse/jetty/util/ssl/SslContextFactory.html#setExcludeCipherSuites(java.lang.String...)[SslContext.setExcludeCipherSuites(java.lang.String...)].

 ____
 [NOTE]
@ -796,7 +811,7 @@ Tools like ssllabs.com might report slightly different names which will be ignor
 ____

 ____
-[NOTE]
+[IMPORTANT]
 It's recommended to install the Java Cryptography Extension (JCE) Unlimited Strength policy files in your JRE to get full strength ciphers such as AES-256.
 The files can be found on the http://www.oracle.com/technetwork/java/javase/downloads/index.html[Java download page].
 Just overwrite the two present JAR files in `<JRE_HOME>/lib/security/`.
@ -849,7 +864,7 @@ ____
 [NOTE]
 The default `SslContextFactory` implementation applies the latest SSL/TLS recommendations surrounding vulnerabilities in SSL/TLS.
 Check the release notes (the `VERSION.txt` found in the root of the Jetty Distribution, or the http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.eclipse.jetty%22%20AND%20a%3A%22jetty-project%22[alternate (classified 'version') artifacts for the `jetty-project` component]on Maven Central) for updates.
-The Java JVM is also applying exclusions at the JVM level and as such if you have a need to enable something that is generally accepted by the industry as being insecure or vulnerable you will likely have to enable it in BOTH the Java JVM and the Jetty configuration.
+The Java JVM also applies exclusions at the JVM level and, as such, if you have a need to enable something that is generally accepted by the industry as being insecure or vulnerable you will likely have to enable it in *both* the Java JVM and your Jetty configuration.
 ____

 ____
@ -919,97 +934,3 @@ ____
 ----
  <Set name="renegotiationAllowed">FALSE</Set>
 ----
-
-[[ssl-dump-ciphers]]
-
-You can view what cipher suites are enabled and disabled by performing a server dump.
-
-To perform a server dump upon server startup, add `jetty.server.dumpAfterStart=true` to the command line when starting the server.
-You can also dump the server when shutting down the server instance by adding `jetty.server.dumpBeforeStop`.
-
-Specifically, you will want to look for the `SslConnectionFactory` portion of the dump.
-
-[source, screen, subs="{sub-order}"]
----
-[my-base]$ java -jar ${JETTY_HOME}/start.jar jetty.server.dumpAfterStart=true
-
-...
-|   += SslConnectionFactory@18be83e4{SSL->http/1.1} - STARTED
-|   |   += SslContextFactory@42530531(null,null) trustAll=false
-|   |       +- Protocol Selections
-|   |       |   +- Enabled (size=3)
-|   |       |   |   +- TLSv1
-|   |       |   |   +- TLSv1.1
-|   |       |   |   +- TLSv1.2
-|   |       |   +- Disabled (size=2)
-|   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
-|   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
-|   |       +- Cipher Suite Selections
-|   |           +- Enabled (size=15)
-|   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
-|   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-|   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-|   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-|   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
-|   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
-|   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-|   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
-|   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
-|   |           +- Disabled (size=42)
-|   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
-|   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
-|   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
-|   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security
-...
----
-
-In the example above you can see both the enabled/disabled protocols and included/excluded ciper suites.
-For disabled or excluded protocols and ciphers, the reason they are disabled is given - either due to JVM restrictions, configuration or both.
-As a reminder, when configuring your includes/excludes, *excludes always win*.
-
-Dumps can be configured as part of the `jetty.xml` configuration for your server.
-Please see the documentation on the link:#jetty-dump-tool[Jetty Dump Tool] for more information.