hi,
I have just built a new web application that runs on Jetty 9.2.5 and my company has asked some people to run a low-level web security testing against it.
They have found that a number of SSL protocols that are no longer considered secure were enabled on the Jetty server.
I was able to address the problem by changing jetty-ssl.xml to look as follows:
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL.*</Item>
<Item>RC4.*</Item>
<Item>.*NULL.*</Item>
</Array>
</Set>
<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS.*</Item>
</Array>
</Set>
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>SSLv2</Item>
</Array>
</Set>
I don't have many details on the security testing done, the only thing I know is that a combination of the following tools was used:
nmap, nessus, qulasys ssl
I am wondering whether it would make sense to change jetty-ssl to reflect these suggestions.
I am not saying that we should take my stuff as is, I just meant to throw the idea out there.
Hope this helps.
thanks,
Michele
