Jesse McConnell
GitHub
commit
d85de7d91f
|
|
@ -24,29 +24,28 @@ This document provides an overview of how to configure SSL and TLS for Jetty.
|
||||||
|
|
||||||
Which browser/OS supports which protocols can be https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers[found on Wikipedia].
|
Which browser/OS supports which protocols can be https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers[found on Wikipedia].
|
||||||
|
|
||||||
* TLS v1.1 and v1.2: The protocols which should be used wherever possible.
|
* TLS v1.2: The protocol which should be used wherever possible.
|
||||||
All CBC based ciphers are supported since Java 7, the new GCM modes are supported since Java 8.
|
All CBC based ciphers are supported since Java 7, the new GCM modes are supported since Java 8.
|
||||||
|
|
||||||
===== Older Protocols
|
===== Older Protocols
|
||||||
|
|
||||||
Both TLS v1.0 and SSL v3 are no longer supported by default. If your Jetty implementation requires these protocols for legacy support, they can be enabled manually.
|
TLS v1.0, v1.1 and SSL v3 are no longer supported by default. If your Jetty implementation requires these protocols for legacy support, they can be enabled manually.
|
||||||
|
|
||||||
____
|
____
|
||||||
[NOTE]
|
[NOTE]
|
||||||
Once TLS v1.3 is released, there will be no workaround available for TLS v1.0.
|
Once TLS v1.3 is released, there will be no workaround available for TLS v1.0 or v1.1.
|
||||||
Plans for TLS v1.3 include banning ciphers with known vulnerabilities from being present at any level.
|
Plans for TLS v1.3 include banning ciphers with known vulnerabilities from being present at any level.
|
||||||
It is recommended to upgrade any clients using these ciphers as soon as possible or face being locked into a outdated version of Jetty, Java or even OS.
|
It is recommended to upgrade any clients using these ciphers as soon as possible or face being locked into a outdated version of Jetty, Java or even OS.
|
||||||
____
|
____
|
||||||
|
|
||||||
By default, Jetty exclused these ciphers in the link:{GITBROWSEURL}/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L253-L256[`SslContextFactory`.]
|
By default, Jetty excludes these ciphers in the link:{GITBROWSEURL}/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L249-L256[`SslContextFactory`.]
|
||||||
You can re-enable these by re-declaring the ciphers you want excluded in code:
|
You can re-enable these by re-declaring the ciphers you want excluded in code:
|
||||||
|
|
||||||
[source, java, subs="{sub-order}"]
|
[source, java, subs="{sub-order}"]
|
||||||
----
|
----
|
||||||
SslContextFactory sslContextFactory = new SslContextFactory();
|
SslContextFactory sslContextFactory = new SslContextFactory();
|
||||||
sslContextFactory.setExcludeCipherSuites(
|
sslContextFactory.setExcludeCipherSuites(
|
||||||
"SSL_DHE_DSS_WITH_DES_CBC_SHA",
|
"^.*_(MD5|SHA|SHA1)$");
|
||||||
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
|
|
||||||
----
|
----
|
||||||
|
|
||||||
If, after making these changes, you still have issues using these ciphers they are likely being blocked at the JVM level.
|
If, after making these changes, you still have issues using these ciphers they are likely being blocked at the JVM level.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue