FYI.
I found the problem was NOT with Jetty, but rather with the new JRE I'm using.
In Java1.8_u31, SSLv3 is disabled.
You can see this in:
jre/lib/security/java.security - jdk.tls.disabledAlgorithms=SSLv3
When I deleted that property and restarted my application, Jetty was able to
use SSLv3.
-----Original Message-----
From: [email protected] [mailto:[email protected]]
On Behalf Of [email protected]
Sent: Thursday, April 09, 2015 10:00 AM
To: [email protected]
Subject: jetty-users Digest, Vol 71, Issue 6
Today's Topics:
1. Can't enable SSLv3 in 9.2.10.v20150310
(Grimm, Michael J (HPCS-R&D))
2. Re: Can't enable SSLv3 in 9.2.10.v20150310 (Lothar Kimmeringer)
3. Re: Can't enable SSLv3 in 9.2.10.v20150310
(Grimm, Michael J (HPCS-R&D))
4. Re: Can't enable SSLv3 in 9.2.10.v20150310 (Simone Bordet)
----------------------------------------------------------------------
Message: 1
Date: Wed, 8 Apr 2015 18:06:00 +0000
From: "Grimm, Michael J (HPCS-R&D)" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
<41551cee2042a8479e4048be0e3b7a85a2b44...@g4w3231.americas.hpqcorp.net>
Content-Type: text/plain; charset="us-ascii"
Hi guys,
I'm using jetty in an embedded application.
Jetty 9.2.10 has SSLv3 disabled by default.
I create an sslContextFactory and set the appropriate properties:
sslContextFactory.setIncludeProtocols("SSLv3", "TLSv1", "TLSv1.2", "TLSv1.1");
I then use the sslContextFactory in the connectionFactory:
SslContextFactory sslContextFactory = createSslContextFactory();//set all
sslContextFactory props here HttpConfiguration https_config = new
HttpConfiguration(); https_config.addCustomizer(new SecureRequestCustomizer());
SslConnectionFactory sslConnFact = new SslConnectionFactory(sslContextFactory,
"http/1.1"); ServerConnector https = new ServerConnector(jetty, sslConnFact,
new HttpConnectionFactory(https_config));
jetty.addConnector(https);
jetty.start();
Unfortunately, when I test the jetty server with TestSSLServer.jar (which I
found online), the output does NOT list SSLv3!
D:\temp> java -jar TestSSLServer.jar localhost 7906 Supported versions: TLSv1.0
TLSv1.1 TLSv1.2
If I only "include" SSLv3, the JettyServer will refuse to negotiate any
connections:
sslContextFactory.setIncludeProtocols("SSLv3");
If I only "include" TLSv1, the TestSSLServer.jar shows: (Supported versions:
TLSv1.0) sslContextFactory.setIncludeProtocols("TLSv1");
NOTE: before upgrading to 9.2.10, I used 9.2.3 (which had SSLv3 enabled).
Using the same code above, I was able to enable or disable SSLv3 by also
setting:
sslContextFactory.setExcludeProtocols("SSLv3");
So, my question is: How do I re-enable SSLv3?
------------------------------
Message: 2
Date: Wed, 08 Apr 2015 21:07:06 +0200
From: Lothar Kimmeringer <[email protected]>
To: [email protected]
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
Am 08.04.2015 um 20:06 schrieb Grimm, Michael J (HPCS-R&D):
> *NOTE*: before upgrading to 9.2.10, I used *9.2.3* (which had SSLv3 enabled).
> Using the same code above, I was able to enable or disable SSLv3 by also
> setting:
> sslContextFactory.setExcludeProtocols(?SSLv3?);
>
> So, my question is: How do I re-enable SSLv3?
Since SSLv3 is inherently insecure and shouldn't be used at all, you can switch
back to Jetty 9.2.3 to get back that particular functionality for the test
setup you are obviously talking about.
IOW: Why do you want to use SSLv3? It's insecure and not much better than using
no SSL at all (making it at least obvious for the other side that the data
communication is not secure).
Cheers, Lothar
------------------------------
Message: 3
Date: Thu, 9 Apr 2015 14:11:43 +0000
From: "Grimm, Michael J (HPCS-R&D)" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
<41551cee2042a8479e4048be0e3b7a85a2b44...@g4w3231.americas.hpqcorp.net>
Content-Type: text/plain; charset="us-ascii"
Unfortunately, some of our customers have older devices that don't support the
TLS protocols. Our plan was to ship our product with SSLv3 disabled - and allow
customers to re-enable SSLv3 if they need to.
I hope I don't have to revert to 9.2.3 because (from what I've read) it's one
of the more buggy releases.
Thanks
Mike
------------------------------
Message: 4
Date: Thu, 9 Apr 2015 16:42:48 +0200
From: Simone Bordet <[email protected]>
To: JETTY user mailing list <[email protected]>
Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310
Message-ID:
<CAFWmRJ1rFiM02eMaXiCqG+CeVcf7Fy72rP8itcwnfCu=wnq...@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Hi,
On Wed, Apr 8, 2015 at 8:06 PM, Grimm, Michael J (HPCS-R&D) <[email protected]>
wrote:
> So, my question is: How do I re-enable SSLv3?
Excluded protocols have precedence over included protocols.
Given discovered vulnerabilities of SSLv3, we have excluded it by default.
To force it back, you can do this:
SslContextFactory ssl = new SslContextFactory(); ssl.setExcludeProtocols("SSL",
"SSLv2", "SSLv2Hello");
Now you should have SSLv3 enabled back, because it's not explicitly excluded.
--
Simone Bordet
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
End of jetty-users Digest, Vol 71, Issue 6
******************************************
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
