Re: [jetty-dev] changing default jetty ssl settings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] changing default jetty ssl settings

From: Joakim Erdfelt <joakim@xxxxxxxxxxx>
Date: Wed, 26 Nov 2014 06:24:57 -0700
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

The defaults for SslContextFactory excludes more than you are excluding btw.

https://github.com/eclipse/jetty.project/blob/jetty-9.2.5.v20141112/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L226

addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3");

The defaults that Jetty ships with are tough to settle on (as it stands now, we are excluding IE6/XP with the defaults we currently have).

If we went as far as your configuration, we'd be excluding a lot of other clients as well. (which might be necessary in todays world)

Feel free to file a bug asking that the defaults be updated to reflect today's best practices.

Joakim Erdfelt <joakim@xxxxxxxxxxx>

webtide.com - intalio.com/jetty

Expert advice, services and support from from the Jetty & CometD experts

eclipse.org/jetty - cometd.org

On Wed, Nov 26, 2014 at 1:44 AM, Michele Rossi <michele.rossi@xxxxxxxxx> wrote:

hi,

I have just built a new web application that runs on Jetty 9.2.5 and my company has asked some people to run a low-level web security testing against it.

They have found that a number of SSL protocols that are no longer considered secure were enabled on the Jetty server.

I was able to address the problem by changing jetty-ssl.xml to look as follows:

<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL.*</Item>
<Item>RC4.*</Item>
<Item>.*NULL.*</Item>
</Array>
</Set>

<Set name="IncludeCipherSuites">
<Array type="String">
<Item>TLS.*</Item>
</Array>
</Set>

<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>SSLv2</Item>
</Array>
</Set>

I don't have many details on the security testing done, the only thing I know is that a combination of the following tools was used:

nmap, nessus, qulasys ssl

I am wondering whether it would make sense to change jetty-ssl to reflect these suggestions.

I am not saying that we should take my stuff as is, I just meant to throw the idea out there.

Hope this helps.

thanks,
Michele

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev

References:
- [jetty-dev] changing default jetty ssl settings
  - From: Michele Rossi

Prev by Date: [jetty-dev] changing default jetty ssl settings
Next by Date: [jetty-dev] Change SSL response in jetty proxy
Previous by thread: [jetty-dev] changing default jetty ssl settings
Next by thread: [jetty-dev] Change SSL response in jetty proxy
Index(es):
- Date
- Thread

Breadcrumbs