Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Howto/CipherSuites"
| Line 2: | Line 2: | ||
| introduction = | | introduction = | ||
| − | {{Jetty Redirect|http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html} | + | {{Jetty Redirect|http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html}} |
The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See [http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider JSSE Provider documentation] for more information on the available cipher suites. | The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See [http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider JSSE Provider documentation] for more information on the available cipher suites. | ||
Latest revision as of 15:34, 23 April 2013
Introduction
THIS IS NOT THE DOCUMENTATION YOU ARE LOOKING FOR!!!!!
All development and stable releases are being performed with Jetty 9 and Jetty 10.
This wiki is now officially out of date and all content has been moved to the Jetty Documentation Hub
The Java Virtual Machine provides the SSL cipher suites that Jetty uses. See JSSE Provider documentation for more information on the available cipher suites.
Steps
Enabling Cipher Suites
If a cipher suite that you require is not enabled by default, Jetty provides a mechanism that lets you enable the cipher suite for a specific SSL connector during Jetty startup. Be aware that you must specify cipher suites in preference order.
Here's an example of how to configure the SslSocketConnector with included cipher suites:
<Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="Port">8443</Set> <Set name="maxIdleTime">30000</Set> ... <Set name="IncludeCipherSuites"> <Array type="java.lang.String"> <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item> <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> </Array> </Set> </New> </Arg> </Call>
Note that for the SslSelectChannelConnector, the correct way to configure ssl is using an SslContextFactory as discussed on the SSL Configuration page. There is an example in the jetty distribution in /etc/jetty-ssl.xml.
Disabling Chipher Suites
If a vulnerability is discovered in a cipher, or if it is considered too weak to use, you can exclude it during Jetty startup. You need to make the following changes to the jetty.xml configuration file. Jetty performs the exclude operation after the include operation. Therefore, If a cipher suite is both included and excluded as part of the same configuration, it is disabled.
<Call name="addConnector"> <Arg> <New class="org.mortbay.jetty.security.SslSocketConnector"> <Set name="Port">8443</Set> <Set name="maxIdleTime">30000</Set> ... <Set name="ExcludeCipherSuites"> <Array type="java.lang.String"> <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> </Array> </Set> </New> </Arg> </Call>