Difference between revisions of "Jetty/Howto/CipherSuites"

From Eclipsepedia

< Jetty‎ | Howto
Jump to: navigation, search
(New page: {{Jetty Howto | introduction = The SSL cipher suites used by Jetty are provided by the Java Virtual Machine. Please refer to this [http://java.sun.com/javase/6/docs/technotes/guides/secur...)
 
m
Line 1: Line 1:
 
{{Jetty Howto
 
{{Jetty Howto
 
| introduction =  
 
| introduction =  
The SSL cipher suites used by Jetty are provided by the Java Virtual Machine. Please refer to this [http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider documentation] for more information on the available cipher suites.
+
The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See [http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider JSSE Provider documentation] for more information on the available cipher suites.
  
 
| steps =
 
| steps =
===Enable Cipher Suites===
+
===Enabling Cipher Suites===
In the event any required cipher suite is not enabled by default, Jetty provides a mechanism that allows enabling the cipher suite for the specific SSL connector during Jetty startup. The following changes will need to be made to jetty.xml configuration file. Please note that the cipher suites need to be specified in the required preference order.  
+
If a cipher suite that you require is not enabled by default, Jetty provides a mechanism that lets you enable the cipher suite for a specific SSL connector during Jetty startup. You need to make the following changes to the <tt>jetty.xml</tt> configuration file. Be aware that you must specify cipher suites in preference order.  
  
 
<source lang="xml">
 
<source lang="xml">
Line 29: Line 29:
 
</source>
 
</source>
  
===Disable Chipher Suites===
+
===Disabling Chipher Suites===
If a vulnerability is discovered in a cipher, or if it is considered too weak to use, it is possible to exclude it during Jetty startup. The following changes will need to be made to jetty.xml configuration file. In the event the cipher suites are both included and excluded as part of the same configuration, the exclude operation is performed after the include operation.
+
If a vulnerability is discovered in a cipher, or if it is considered too weak to use, you can exclude it during Jetty startup. You need to make the following changes to the <tt>jetty.xml</tt> configuration file. Jetty performs the exclude operation after the include operation. Therefore, If a cipher suite is both included and excluded as part of the same configuration, it is disabled.
  
 
<source lang="xml">
 
<source lang="xml">

Revision as of 16:02, 1 June 2011



Contents

Introduction

The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See JSSE Provider documentation for more information on the available cipher suites.


Steps

Enabling Cipher Suites

If a cipher suite that you require is not enabled by default, Jetty provides a mechanism that lets you enable the cipher suite for a specific SSL connector during Jetty startup. You need to make the following changes to the jetty.xml configuration file. Be aware that you must specify cipher suites in preference order.

<Call name="addConnector">
  <Arg>
    <New class="org.mortbay.jetty.security.SslSocketConnector">
      <Set name="Port">8443</Set>
      <Set name="maxIdleTime">30000</Set>
      ...
      <Set name="IncludeCipherSuites">
        <Array type="java.lang.String">
          <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
          <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
          <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
        </Array>
      </Set>
    </New>
  </Arg>
</Call>

Disabling Chipher Suites

If a vulnerability is discovered in a cipher, or if it is considered too weak to use, you can exclude it during Jetty startup. You need to make the following changes to the jetty.xml configuration file. Jetty performs the exclude operation after the include operation. Therefore, If a cipher suite is both included and excluded as part of the same configuration, it is disabled.

<Call name="addConnector">
  <Arg>
    <New class="org.mortbay.jetty.security.SslSocketConnector">
      <Set name="Port">8443</Set>
      <Set name="maxIdleTime">30000</Set>
      ...
      <Set name="ExcludeCipherSuites">
        <Array type="java.lang.String">
          <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
          <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
          <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        </Array>
      </Set>
    </New>
  </Arg>
</Call>