1. enable "unlimited strength ciphers" in the Java security config.
I think I'm good using OpenJDK, but I checked:
$ echo $JAVA_HOME
/usr/lib/jvm/java-11-openjdk-amd64
$ ls -l /usr/lib/jvm/java-11-openjdk-amd64/conf/security/
total 4
lrwxrwxrwx 1 root root 41 Jul 18 14:21 java.policy -> /etc/java-11-openjdk/security/java.policy
lrwxrwxrwx 1 root root 43 Jul 18 14:21 java.security -> /etc/java-11-openjdk/security/java.security
lrwxrwxrwx 1 root root 37 Jul 18 14:21 nss.cfg -> /etc/java-11-openjdk/security/nss.cfg
drwxr-xr-x 4 root root 4096 Aug 1 07:59 policy
vim /etc/java-11-openjdk/security/java.security
...
crypto.policy=unlimited
...
# Curious about this:
ssl.KeyManagerFactory.algorithm=SunX509
ssl.TrustManagerFactory.algorithm=PKIX
I'm curious about the SunX509. I do *not* set a keyManagerFactory (I'm a server, not a client, and don't require client-side certificates). But when Jetty starts up, I can see the following debugging info which I've just been ignoring:
Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
java.security.NoSuchAlgorithmException: no such algorithm: SunX509 for provider Conscrypt
at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:87)
at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
at java.base/javax.net.ssl.KeyManagerFactory.getInstance(KeyManagerFactory.java:195)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagerFactoryInstance(SslContextFactory.java:1817)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1275)
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:416)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:287)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.server.Server.doStart(Server.java:385)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.organicdesign.classVsJar.ClazzVsJarKt.main(ClazzVsJar.kt:288)
2. for the "TLS_ECDHE_ECDSA_WITH_AES_*" ciphers to be available...
TLS_ECDHE_RSA_WITH_AES_* ciphers show up as available in Jetty debugging info and are agreed upon by nmap (output of both are shown in my original message). I spent an hour messing around with my keystore anyway, but nothing good resulted.
3. Your Java or Jetty config have DHE ciphers disabled. I think the default OpenJDK config has DHE less than 2048 bits disabled if I recall correctly.
Both TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 are showing in Jetty's "available ciphers" debugging info, but are not available when I try to connect with nmap.
I noticed that the 4 strong ciphers that IE11/Win7 is said to support are supported by openssl, but it has its own name for them. Not sure if that could have anything to do with it. It looks in the TLS spec like they are identified by some two-byte hex code and not a human-readable name, but I don't know:
$ openssl ciphers -stdname
...
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
...
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
...
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
...
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
...
Simone: I'll respond in a bit.
Glen K. Peterson
(828) 393-0081