Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Issue with Establishing TLSv1.3 - Jetty-9.4.34
The cipher suites names are part of the RFC standard.

The names starting with SSL_* are all deprecated according to various recommendations across the industry. (The ones starting with SSL_* are part of the SSLv3 spec per the various standards, and as such are excluded).
You appear to be using a JVM that reports non-standard Cipher Suite names. (you should file a report against your JVM to have them report the supported cipher suite names using the RFC standard and IANA registered names)
This kind of non-standard JVM behavior is not supported "out of the box" on Jetty.

You will have to identify each reported Cipher Suite from your JVM against the various standards and specifically include each one using the non-standard names your JVM appears to want in the SslContextFactory include cipher suites configuration.
Make sure you empty out the default excluded cipher suites first (set it to a null or empty array).

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Tue, Feb 2, 2021 at 2:05 PM Eze Ikonne <ike.ikonne@xxxxxxxxxx> wrote:

Hi all,

 

I need some clarifications regarding the proper names for TLSv1.3 cipher suites. So, in the previous versions of  our embedded Jetty,

we had to prefix ciphersuites with “SSL_” otherwise the configured ciphersuites were not recognized by Jetty SSL context modules.

Now, we want to support TLSv1.3 and we are getting the following error messages. On the surface, it appears that Jetty doesn’t

allow the TLSv1.3 cipher suites prefixed with “SSL_”, please could some one help me out with clarification on how to specify TLSv1.3 cipher suites for Jetty. Please see below.

 

2021-02-02 14:22:08,771 [main] INFO  ContextHandler - Started o.e.j.w.WebAppContext@471d9180{sspcmrest,/sspcmrest,file:///C:/Users/xxx/sandbox/xxxx6020-20201124-MAINT-BUILD110/apps/jetty/webservices/webapps/sspcmrest/,AVAILABLE}{C:\Users\xxxxx\sandbox\xxxx6020-20201124-MAINT-BUILD110\apps\jetty\webservices\webapps\sspcmrest}

2021-02-02 14:22:08,771 [main] INFO  session - DefaultSessionIdManager workerName=node0

2021-02-02 14:22:08,771 [main] INFO  session - No SessionScavenger set, using defaults

2021-02-02 14:22:08,771 [main] INFO  session - node0 Scavenging every 600000ms

2021-02-02 14:22:08,865 [main] INFO  SslContextFactory - x509=X509@979e5720(webserverkeycert,h=[xxxx.com, xxxx.com, xxxx.com, xxxx.com, xxxx.com, xxxx.com, xxxx.com],w=[]) for JettySslContextFactory@3d4b29ca[provider=null,keyStore=null,trustStore=null]

2021-02-02 14:22:09,005 [main] INFO  SslContextFactory - No Cipher Suite matching 'SSL_AES_256_GCM_SHA384' is supported

2021-02-02 14:22:09,005 [main] INFO  SslContextFactory - No Cipher Suite matching 'SSL_CHACHA20_POLY1305_SHA256' is supported

2021-02-02 14:22:09,005 [main] INFO  SslContextFactory - No Cipher Suite matching 'SSL_AES_128_GCM_SHA256' is supported

2021-02-02 14:22:09,005 [main] WARN  SslContextFactory - No supported Cipher Suite from [TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256]

2021-02-02 14:22:09,068 [main] INFO  AbstractConnector - Started ServerConnector@40dd70fc{SSL, (ssl, http/1.1)}{0.0.0.0:8443}

2021-02-02 14:22:09,068 [main] INFO  Server - Started @20296ms

=====================================================
Please refer to https://northamerica.altran.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top