Re: [jetty-users] how to properly deployDiffie-Hellman on my server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] how to properly deployDiffie-Hellman on my server

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Mon, 23 Sep 2019 07:27:57 -0500
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

When it comes to running a server with TLS/SSL on the public internet, there is one fundamental truth.

You have to stay up to date.

Your use of Java 1.7 means you practically have no solution left for you.

Why?

You are doing the right thing by excluding the vulnerable protocols: SSL, SSLv2, SSLv3, TLSv1, and TLSv1.1

That assumes that you'll use TLSv1.2, but TLSv1.2 support in Java 1.7 was reserved for clients, not servers.

Can you enable TLSv1.2 on Java 1.7 for servers?

In some versions of Java 1.7 you can, but that support is very preliminary and has many known issues.

If you absolutely must stick with Java 1.7 and Jetty 9.2.x, then consider putting a more up to date SSL offloader in front of your application.

Some product like haproxy, nginx, etc... and keep that product up to date!

Or, upgrade to Java 1.8 at a minimum, as that has the proper TLSv1.2 support you are needing.

If you need TLSv1.3 you'll need to upgrade to Java 11 (11.0.4+ to have most of the TLSv1.3 support issues fixed)

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Mon, Sep 23, 2019 at 5:52 AM RJC 2009 <rjc2009@xxxxxxxxx> wrote:

Hi,

Please guide on how to properly deploy Diffie-Hellman on my server. I am using Jetty 9.2.9 with jdk1.7.

This is my current configuration in jetty-ssl.xml but SSL scan report shows that “This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)”

<Set name="ExcludeCipherSuites">

    <Array type="String">

      <Item>.*NULL.*</Item>

      <Item>.*RC4.*</Item>

      <Item>.*MD5.*</Item>

      <Item>.*DES.*</Item>

      <Item>.*DSS.*</Item>

    </Array>

</Set>



<Set name="IncludeCipherSuites">

    <Array type="String">

      <Item>TLS_DHE_RSA.*</Item>

      <Item>TLS_ECDHE.*</Item>

    </Array>

</Set>



<Call name="addExcludeProtocols">

    <Arg>

     <Array type="java.lang.String">

       <Item>SSL</Item>

       <Item>SSLv2</Item>

       <Item>SSLv2Hello</Item>

       <Item>SSLv3</Item>

       <Item>TLSv1</Item>

       <Item>TLSv1.1</Item>

     </Array>

    </Arg>

</Call>

Regards

Rjc
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Follow-Ups:
- Re: [jetty-users] how to properly deployDiffie-Hellman on my server
  - From: Meggyesi , Zalán

References:
- [jetty-users] how to properly deployDiffie-Hellman on my server
  - From: RJC 2009

Prev by Date: Re: [jetty-users] Enabling session resumption
Next by Date: Re: [jetty-users] Enabling session resumption
Previous by thread: [jetty-users] how to properly deployDiffie-Hellman on my server
Next by thread: Re: [jetty-users] how to properly deployDiffie-Hellman on my server
Index(es):
- Date
- Thread

Breadcrumbs