Jetty/Howto/CipherSuites

From Eclipsepedia

< Jetty‎ | Howto
Revision as of 12:56, 28 May 2010 by Michael.webtide.com (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Contents

Introduction

The SSL cipher suites used by Jetty are provided by the Java Virtual Machine. Please refer to this documentation for more information on the available cipher suites.


Steps

Enable Cipher Suites

In the event any required cipher suite is not enabled by default, Jetty provides a mechanism that allows enabling the cipher suite for the specific SSL connector during Jetty startup. The following changes will need to be made to jetty.xml configuration file. Please note that the cipher suites need to be specified in the required preference order.

<Call name="addConnector">
  <Arg>
    <New class="org.mortbay.jetty.security.SslSocketConnector">
      <Set name="Port">8443</Set>
      <Set name="maxIdleTime">30000</Set>
      ...
      <Set name="IncludeCipherSuites">
        <Array type="java.lang.String">
          <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
          <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
          <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
        </Array>
      </Set>
    </New>
  </Arg>
</Call>

Disable Chipher Suites

If a vulnerability is discovered in a cipher, or if it is considered too weak to use, it is possible to exclude it during Jetty startup. The following changes will need to be made to jetty.xml configuration file. In the event the cipher suites are both included and excluded as part of the same configuration, the exclude operation is performed after the include operation.

<Call name="addConnector">
  <Arg>
    <New class="org.mortbay.jetty.security.SslSocketConnector">
      <Set name="Port">8443</Set>
      <Set name="maxIdleTime">30000</Set>
      ...
      <Set name="ExcludeCipherSuites">
        <Array type="java.lang.String">
          <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
          <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
          <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        </Array>
      </Set>
    </New>
  </Arg>
</Call>