Re: [jetty-users] Website works but SSL Labs is reporting vulnerabilities

Thu, 21 Apr 2016 12:51:33 -0700

OK. apt-get updates my JVM to the latest version, so I'm covered there. I will make sure to upgrade Jetty ASAP, then I will report back.
Any thoughts about the broken certificate chain? Web browsers seem to be fine with my current setup. It's SSL Labs that is complaining. 

Thanks

On 4/21/2016 12:47 PM, Joakim Erdfelt wrote:

Instead of replacing the exclusion list, perhaps you should just add 
to the exclusion list.


  <Call name="addExcludeCipherSuites">
    <Arg>
      <Array type="String">
        <Item>.*_DHE_.*$</Item>
      </Array>
    </Arg>
  </Call>


Also, when it comes to SSL/TLS, you _need to_ keep your Jetty and Java 
installations up to date.
Jetty 9.3.8 is out, and it adds more cipher exclusions to satisfy 
other SSL/TLS concerns (re: Chrome, SLOTH)



Joakim Erdfelt / [email protected] <mailto:[email protected]>


On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios 
<[email protected] <mailto:[email protected]>> wrote:


    Jetty 9.3.3.v20150827

    I have two problems the Qualys SSL Test is reporting with one of
    my Jetty-hosted websites and I'm not sure how to fix them.

    Both are preventing this website from getting an "A" rating. I'm
    at a "B" now.

    First: "This server supports weak Diffie-Hellman (DH) key exchange
    parameters."
    There were a half-dozen weak ciphers I was able to disable. Only
    one is still being reported active:
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

    But I am doing this:
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
    "http://www.eclipse.org/jetty/configure_9_3.dtd";>

    <!-- ============================================================= -->
    <!-- SSL ContextFactory configuration           -->
    <!-- ============================================================= -->
    <Configure id="sslContextFactory"
    class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Set name="KeyStorePath"><Property name="jetty.base" default="."
    />/path/to/keystore.jks</Set>
      <Set name="KeyStorePassword">OBF:NoneYoBizness</Set>
      <Set name="TrustStorePath"><Property name="jetty.base"
    default="." />/path/to/keystore.jks</Set>
      <Set name="TrustStorePassword">OBF:NoneYoBizness</Set>
      <Set name="NeedClientAuth">false</Set>
      <Set name="WantClientAuth">false</Set>
      <Set name="ExcludeCipherSuites">
      <Array type="String">
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
    <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
    <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
    <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
      </Array>
      </Set>
      <Set name="useCipherSuitesOrder"><Property
    name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set>
    </Configure>

    I specifically exclude the cipher SSL Labs is complaining about.

    The other problem: The SSL Labs test says that my certificate
    chain is incomplete. But I have the Comodo certificate for the
    website in the server's keystore, and I have all three
    intermediate certificates in the truststore.

    Any ideas?

    Thanks.





    -- 
    Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com |

    Facebook.com/LobosStudios | @LobosStudios
    Web Development - Mobile Development - Helpdesk/Tech Support -
    Computer Sales & Service
    Acer Authorized Reseller - Computers, Windows and Android Tablets,
    Accessories

    Steve Sobol - CEO, Senior Developer and Server Jockey
    [email protected]

    _______________________________________________
    jetty-users mailing list
    [email protected] <mailto:[email protected]>
    To change your delivery options, retrieve your password, or
    unsubscribe from this list, visit
    https://dev.eclipse.org/mailman/listinfo/jetty-users




_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


--
Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | 
Facebook.com/LobosStudios | @LobosStudios
Web Development - Mobile Development - Helpdesk/Tech Support - Computer Sales & 
Service
Acer Authorized Reseller - Computers, Windows and Android Tablets, Accessories

Steve Sobol - CEO, Senior Developer and Server Jockey
[email protected]


_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from 
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users





















					Reply via email to