diff --git a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc index de77a563429..3510224f181 100644 --- a/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc +++ b/jetty-documentation/src/main/asciidoc/configuring/connectors/configuring-ssl.adoc @@ -26,9 +26,31 @@ Which browser/OS supports which protocols can be https://en.wikipedia.org/wiki/T * TLS v1.1 and v1.2: The protocols which should be used wherever possible. All CBC based ciphers are supported since Java 7, the new GCM modes are supported since Java 8. -* TLS v1.0: Still supported but is affected by the link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566[POODLE attack.] - To support older browsers this protocol version is still needed. -* SSL v3: is now deprecated and should *only* be enabled if you still need to support very old browsers like Internet Explorer 6 on Windows XP which does not support TLS 1.0 (or is disabled by default). + +===== Older Protocols + +Both TLS v1.0 and SSL v3 are no longer supported by default. If your Jetty implementation requires these protocols for legacy support, they can be enabled manually. + +____ +[NOTE] +Once TLS v1.3 is released, there will be no workaround available for TLS v1.0. +Plans for TLS v1.3 include banning ciphers with known vulnerabilities from being present at any level. +It is recommended to upgrade any clients using these ciphers as soon as possible or face being locked into a outdated version of Jetty, Java or even OS. +____ + +By default, Jetty exclused these ciphers in the link:{GITBROWSEURL}/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L253-L256[`SslContextFactory`.] +You can re-enable these by re-declaring the ciphers you want excluded in code: + +[source, java, subs="{sub-order}"] +---- +SslContextFactory sslContextFactory = new SslContextFactory(); +sslContextFactory.setExcludeCipherSuites( + "SSL_DHE_DSS_WITH_DES_CBC_SHA", + "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); +---- + +If, after making these changes, you still have issues using these ciphers they are likely being blocked at the JVM level. +Locate the `$JAVA_HOME/jre/lib/security/` directory for the `java.security` file and examine it for any configuration that is excluding _ciphers_ or _algorithms_ (depending on the version of the JVM you are using the nomenclature may be different). [[understanding-certificates-and-keys]] ==== Understanding Certificates and Keys