Instead of replacing the exclusion list, perhaps you should just add to the
exclusion list.
<Call name="addExcludeCipherSuites">
<Arg>
<Array type="String">
<Item>.*_DHE_.*$</Item>
</Array>
</Arg>
</Call>
Also, when it comes to SSL/TLS, you *need to* keep your Jetty and Java
installations up to date.
Jetty 9.3.8 is out, and it adds more cipher exclusions to satisfy other
SSL/TLS concerns (re: Chrome, SLOTH)
Joakim Erdfelt / [email protected]
On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios <
[email protected]> wrote:
> Jetty 9.3.3.v20150827
>
> I have two problems the Qualys SSL Test is reporting with one of my
> Jetty-hosted websites and I'm not sure how to fix them.
>
> Both are preventing this website from getting an "A" rating. I'm at a "B"
> now.
>
> First: "This server supports weak Diffie-Hellman (DH) key exchange
> parameters."
> There were a half-dozen weak ciphers I was able to disable. Only one is
> still being reported active:
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
>
> But I am doing this:
> <?xml version="1.0"?>
> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "
> http://www.eclipse.org/jetty/configure_9_3.dtd";>
>
> <!-- ============================================================= -->
> <!-- SSL ContextFactory configuration -->
> <!-- ============================================================= -->
> <Configure id="sslContextFactory"
> class="org.eclipse.jetty.util.ssl.SslContextFactory">
> <Set name="KeyStorePath"><Property name="jetty.base" default="."
> />/path/to/keystore.jks</Set>
> <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
> <Set name="TrustStorePath"><Property name="jetty.base" default="."
> />/path/to/keystore.jks</Set>
> <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
> <Set name="NeedClientAuth">false</Set>
> <Set name="WantClientAuth">false</Set>
> <Set name="ExcludeCipherSuites">
> <Array type="String">
> <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
> <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
> <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
> <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
> <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
> <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
> <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
> </Array>
> </Set>
> <Set name="useCipherSuitesOrder"><Property
> name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
> </Configure>
>
> I specifically exclude the cipher SSL Labs is complaining about.
>
> The other problem: The SSL Labs test says that my certificate chain is
> incomplete. But I have the Comodo certificate for the website in the
> server's keystore, and I have all three intermediate certificates in the
> truststore.
>
> Any ideas?
>
> Thanks.
>
>
>
>
> --
> Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |
> Facebook.com/LobosStudios | @LobosStudios
> Web Development - Mobile Development - Helpdesk/Tech Support - Computer
> Sales & Service
> Acer Authorized Reseller - Computers, Windows and Android Tablets,
> Accessories
>
> Steve Sobol - CEO, Senior Developer and Server Jockey
> [email protected]
>
> _______________________________________________
> jetty-users mailing list
> [email protected]
> To change your delivery options, retrieve your password, or unsubscribe
> from this list, visit
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
