Good catch. Thanks for updating us. ᐧ -- -jim Jim Willeke
On Thu, Apr 9, 2015 at 12:19 PM, Grimm, Michael J (HPCS-R&D) <[email protected]> wrote: > FYI. > I found the problem was NOT with Jetty, but rather with the new JRE I'm > using. > In Java1.8_u31, SSLv3 is disabled. > You can see this in: > jre/lib/security/java.security - jdk.tls.disabledAlgorithms=SSLv3 > > When I deleted that property and restarted my application, Jetty was able > to use SSLv3. > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of > [email protected] > Sent: Thursday, April 09, 2015 10:00 AM > To: [email protected] > Subject: jetty-users Digest, Vol 71, Issue 6 > > Today's Topics: > > 1. Can't enable SSLv3 in 9.2.10.v20150310 > (Grimm, Michael J (HPCS-R&D)) > 2. Re: Can't enable SSLv3 in 9.2.10.v20150310 (Lothar Kimmeringer) > 3. Re: Can't enable SSLv3 in 9.2.10.v20150310 > (Grimm, Michael J (HPCS-R&D)) > 4. Re: Can't enable SSLv3 in 9.2.10.v20150310 (Simone Bordet) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 8 Apr 2015 18:06:00 +0000 > From: "Grimm, Michael J (HPCS-R&D)" <[email protected]> > To: "[email protected]" <[email protected]> > Subject: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310 > Message-ID: > < > 41551cee2042a8479e4048be0e3b7a85a2b44...@g4w3231.americas.hpqcorp.net> > > Content-Type: text/plain; charset="us-ascii" > > Hi guys, > I'm using jetty in an embedded application. > Jetty 9.2.10 has SSLv3 disabled by default. > > I create an sslContextFactory and set the appropriate properties: > > sslContextFactory.setIncludeProtocols("SSLv3", "TLSv1", "TLSv1.2", > "TLSv1.1"); > > I then use the sslContextFactory in the connectionFactory: > > SslContextFactory sslContextFactory = createSslContextFactory();//set all > sslContextFactory props here HttpConfiguration https_config = new > HttpConfiguration(); https_config.addCustomizer(new > SecureRequestCustomizer()); SslConnectionFactory sslConnFact = new > SslConnectionFactory(sslContextFactory, "http/1.1"); ServerConnector https > = new ServerConnector(jetty, sslConnFact, new > HttpConnectionFactory(https_config)); > jetty.addConnector(https); > jetty.start(); > > Unfortunately, when I test the jetty server with TestSSLServer.jar (which > I found online), the output does NOT list SSLv3! > > D:\temp> java -jar TestSSLServer.jar localhost 7906 Supported versions: > TLSv1.0 TLSv1.1 TLSv1.2 > > If I only "include" SSLv3, the JettyServer will refuse to negotiate any > connections: > sslContextFactory.setIncludeProtocols("SSLv3"); > > If I only "include" TLSv1, the TestSSLServer.jar shows: (Supported > versions: TLSv1.0) sslContextFactory.setIncludeProtocols("TLSv1"); > > > NOTE: before upgrading to 9.2.10, I used 9.2.3 (which had SSLv3 enabled). > Using the same code above, I was able to enable or disable SSLv3 by also > setting: > sslContextFactory.setExcludeProtocols("SSLv3"); > > So, my question is: How do I re-enable SSLv3? > > ------------------------------ > > Message: 2 > Date: Wed, 08 Apr 2015 21:07:06 +0200 > From: Lothar Kimmeringer <[email protected]> > To: [email protected] > Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310 > Message-ID: <[email protected]> > Content-Type: text/plain; charset=windows-1252 > > Am 08.04.2015 um 20:06 schrieb Grimm, Michael J (HPCS-R&D): > > > *NOTE*: before upgrading to 9.2.10, I used *9.2.3* (which had SSLv3 > enabled). > > Using the same code above, I was able to enable or disable SSLv3 by also > setting: > > sslContextFactory.setExcludeProtocols(?SSLv3?); > > > > So, my question is: How do I re-enable SSLv3? > > Since SSLv3 is inherently insecure and shouldn't be used at all, you can > switch back to Jetty 9.2.3 to get back that particular functionality for > the test setup you are obviously talking about. > IOW: Why do you want to use SSLv3? It's insecure and not much better than > using no SSL at all (making it at least obvious for the other side that the > data communication is not secure). > > Cheers, Lothar > > ------------------------------ > Message: 3 > Date: Thu, 9 Apr 2015 14:11:43 +0000 > From: "Grimm, Michael J (HPCS-R&D)" <[email protected]> > To: "[email protected]" <[email protected]> > Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310 > Message-ID: > < > 41551cee2042a8479e4048be0e3b7a85a2b44...@g4w3231.americas.hpqcorp.net> > > Content-Type: text/plain; charset="us-ascii" > > Unfortunately, some of our customers have older devices that don't support > the TLS protocols. Our plan was to ship our product with SSLv3 disabled - > and allow customers to re-enable SSLv3 if they need to. > I hope I don't have to revert to 9.2.3 because (from what I've read) it's > one of the more buggy releases. > > Thanks > Mike > ------------------------------ > > Message: 4 > Date: Thu, 9 Apr 2015 16:42:48 +0200 > From: Simone Bordet <[email protected]> > To: JETTY user mailing list <[email protected]> > Subject: Re: [jetty-users] Can't enable SSLv3 in 9.2.10.v20150310 > Message-ID: > <CAFWmRJ1rFiM02eMaXiCqG+CeVcf7Fy72rP8itcwnfCu= > [email protected]> > Content-Type: text/plain; charset=UTF-8 > > Hi, > > On Wed, Apr 8, 2015 at 8:06 PM, Grimm, Michael J (HPCS-R&D) <[email protected]> > wrote: > > So, my question is: How do I re-enable SSLv3? > > Excluded protocols have precedence over included protocols. > Given discovered vulnerabilities of SSLv3, we have excluded it by default. > > To force it back, you can do this: > > SslContextFactory ssl = new SslContextFactory(); > ssl.setExcludeProtocols("SSL", "SSLv2", "SSLv2Hello"); > > Now you should have SSLv3 enabled back, because it's not explicitly > excluded. > > -- > Simone Bordet > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > > End of jetty-users Digest, Vol 71, Issue 6 > ****************************************** > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
