When you used <Set name="ExcludeCipherSuites"> You undid the existing exclusions in Jetty 9.3.3
https://github.com/eclipse/jetty.project/blob/jetty-9.3.3.v20150827/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L259 public SslContextFactory(boolean trustAll) { setTrustAll(trustAll); addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); setExcludeCipherSuites( "SSL_RSA_WITH_DES_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); } If you use Jetty 9.3.8, you'll find the exclusion list is more strict ... https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L252-L255 public SslContextFactory(boolean trustAll) { setTrustAll(trustAll); addExcludeProtocols("SSL", "SSLv2", "SSLv2Hello", "SSLv3"); setExcludeCipherSuites( "^.*_RSA_.*_(MD5|SHA|SHA1)$", "SSL_DHE_DSS_WITH_DES_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); } Joakim Erdfelt / [email protected] On Thu, Apr 21, 2016 at 10:28 AM, Steve Sobol - Lobos Studios < [email protected]> wrote: > Jetty 9.3.3.v20150827 > > I have two problems the Qualys SSL Test is reporting with one of my > Jetty-hosted websites and I'm not sure how to fix them. > > Both are preventing this website from getting an "A" rating. I'm at a "B" > now. > > First: "This server supports weak Diffie-Hellman (DH) key exchange > parameters." > There were a half-dozen weak ciphers I was able to disable. Only one is > still being reported active: > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > > But I am doing this: > <?xml version="1.0"?> > <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" " > http://www.eclipse.org/jetty/configure_9_3.dtd";> > > <!-- ============================================================= --> > <!-- SSL ContextFactory configuration --> > <!-- ============================================================= --> > <Configure id="sslContextFactory" > class="org.eclipse.jetty.util.ssl.SslContextFactory"> > <Set name="KeyStorePath"><Property name="jetty.base" default="." > />/path/to/keystore.jks</Set> > <Set name="KeyStorePassword">OBF:NoneYoBizness</Set> > <Set name="TrustStorePath"><Property name="jetty.base" default="." > />/path/to/keystore.jks</Set> > <Set name="TrustStorePassword">OBF:NoneYoBizness</Set> > <Set name="NeedClientAuth">false</Set> > <Set name="WantClientAuth">false</Set> > <Set name="ExcludeCipherSuites"> > <Array type="String"> > <Item>SSL_RSA_WITH_DES_CBC_SHA</Item> > <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item> > <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item> > <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item> > <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> > <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item> > <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item> > <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item> > <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item> > <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> > <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item> > </Array> > </Set> > <Set name="useCipherSuitesOrder"><Property > name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> > </Configure> > > I specifically exclude the cipher SSL Labs is complaining about. > > The other problem: The SSL Labs test says that my certificate chain is > incomplete. But I have the Comodo certificate for the website in the > server's keystore, and I have all three intermediate certificates in the > truststore. > > Any ideas? > > Thanks. > > > > > -- > Lobos Studios | Phone: 877.919.4WEB | LobosStudios.com | > Facebook.com/LobosStudios | @LobosStudios > Web Development - Mobile Development - Helpdesk/Tech Support - Computer > Sales & Service > Acer Authorized Reseller - Computers, Windows and Android Tablets, > Accessories > > Steve Sobol - CEO, Senior Developer and Server Jockey > [email protected] > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
